We all use the browser’s auto-fill functionality to fill in personal information which is repeatedly required to sign up for new services or do things like shop online. The autofill functionality is something born out of our necessity but recently it has been discovered (for quite some time) that the browser might be giving away your information to phishers. Sadly the same is also true for Password Manager, a tool that we use to generate strong passwords for different sites and save the same.
Viljami Kuosmanen, a Finnish web developer, and a hacker has discovered that several browsers including Chrome, Apple’s Safari, Opera and utility tools like LastPass can be disillusioned to give away users personal information which the browsers fetch from the autofill systems linked with the profiles.
The attack relies on tricking the users when the users enter the information in any of the boxes the autofill will enter other information in any of the other boxes even ones that are not visible on the page. What happens here is when the user intends to give up only the basic information the phisher gets hold of all the information stored by the autofill. Needless to say, the phisher will also be getting hold of other information including credit card information, mailing addresses, and other services which the user has signed up for. If interested you can check out this demo site which will ask you to enter your email and name but once submitted displays other personal information using your cell phone number and date of birth.
— Viljami Kuosmanen ⭐ (@anttiviljami) January 4, 2017
However, Firefox seems to be the only browser that is immune to such attacks since it is yet to support multi-box autofill system thus cannot be lead to fill in other information without activating the text fields. The phishing attack still relies on tricking the users by prompting them to at least enter some information using the autofill and then the coast is clear for the attackers. Adding to the woes is the fact that autofill is turned on by default in some browsers including Google Chrome and it is advised to toggle it off to save oneself from such an attack. In the meanwhile also look out for scrupulous pages before giving out any data.