Users beware: Your browser’s autofill opens you up to phishing danger

11 Jan 2017

Browsers are the latest conduit for phishers to con users into revealing data. Image: Syda Productions/Shutterstock

Various popular browsers can be tricked into giving away a user’s private information via their profile-based autofill systems, a researcher has revealed.

Finnish security researcher Viljami Kuosmanen has created a proof-of-concept website that shows how users can be tricked into sharing the data that they have stored in their browser’s autofill system.

It is understood that several browsers including Chrome, Safari and Opera are vulnerable to the hack.

Kuosmanen has discovered that when a user attempts to fill in information in simple text boxes such as name and email address, the autofill system will input other profile-based information into other text boxes, even ones not visible on the page.

Autofill danger Users beware: Your browser’s autofill opens you up to phishing danger

This means that users putting in basic information on websites – which could be phishing websites – may be giving away more than they realise.

“It works differently in some other browsers,” Kuosmanen explained. For example, in Safari, it will tell you all the data it is filling into the form, even if it isn’t visible to you.

“In Firefox, you have to right-click an input field and then select an identity to use. So a Firefox user autofills each field,” he said, suggesting that the Mozilla Firefox browser is the only one immune from the vulnerability.

This could be one of the most frightening vulnerabilities to exist, and one which browser makers may need to move fast to fix, in order to assure users.

Google’s Chrome browser, for example, has an autofill system that is switched on by default that stores data on email addresses, phone numbers, mailing addresses, credit card information and other bits and pieces gathered with the user’s consent.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com