Various popular browsers can be tricked into giving away a user’s private information via their profile-based autofill systems, a researcher has revealed.
Finnish security researcher Viljami Kuosmanen has created a proof-of-concept website that shows how users can be tricked into sharing the data that they have stored in their browser’s autofill system.
It is understood that several browsers including Chrome, Safari and Opera are vulnerable to the hack.
Kuosmanen has discovered that when a user attempts to fill in information in simple text boxes such as name and email address, the autofill system will input other profile-based information into other text boxes, even ones not visible on the page.
This means that users putting in basic information on websites – which could be phishing websites – may be giving away more than they realise.
“It works differently in some other browsers,” Kuosmanen explained. For example, in Safari, it will tell you all the data it is filling into the form, even if it isn’t visible to you.
“In Firefox, you have to right-click an input field and then select an identity to use. So a Firefox user autofills each field,” he said, suggesting that the Mozilla Firefox browser is the only one immune from the vulnerability.
This could be one of the most frightening vulnerabilities to exist, and one which browser makers may need to move fast to fix, in order to assure users.
Google’s Chrome browser, for example, has an autofill system that is switched on by default that stores data on email addresses, phone numbers, mailing addresses, credit card information and other bits and pieces gathered with the user’s consent.