Researcher shows how to use autofill browser function for phishing

Finnish security researcher Viljami Kuosmanen has shown how attackers can use the browser’s autofill form field feature to steal data. The method works with hidden form fields.

Kuosmanen provided the German site Golem with explanations about his project and published the source code on his GitHub page. His method uses hidden form fields, which are kept out of sight of the user with some CSS. However, this does not stop the browser from filling in the hidden fields, even if only one or two are visible to the user.

For example, the user thinks he only fills in the fields for name and e-mail, but reveals more information via the hidden fields. To demonstrate this, the researcher built a demo site. He tested his method in Chrome and Safari, both of which are susceptible to such an attack. The method cannot be used for data such as usernames, passwords and credit card details, because the browsers show a warning.

Safari shows the user which data is entered, but an inattentive user can still have too much entered. Firefox is not amenable to the method, because it doesn’t have an autofill function so much as an autocomplete variant, the researcher explains to Golem. For example, a user must select each field individually to see a list of previously entered options.

The researcher says he got the idea when he was annoyed by the autofill feature in Chrome and wanted to find out how much data the browser actually stored about him. He adds that the method is not new, because it is also used for honeypots, for example. However, the method shows that browsers do not detect that certain fields are invisible to the user and that there is still no solution to the problem. According to Kuosmanen, a possible defense is disabling autofill, which is a good measure at all. In addition, he sees the most in the approach of Firefox.

Demonstration of the data sent, via GitHub