Phishing Attack Steals Your Personal Details from Browser Autofill and Password Managers

by: - Last updated on: January 11th, 2017

We all use the browser’s auto-fill functionality to fill in personal information which is repeatedly required to sign up for new services or do things like shop online. The autofill functionality is something born out of our necessity but recently it has been discovered (for quite some time) that the browser might be giving away your information to phishers. Sadly the same is also true for Password Manager, a tool that we use to generate strong passwords for different sites and save the same.

smart security

Viljami Kuosmanen, a Finnish web developer, and a hacker has discovered that several browsers including Chrome, Apple’s Safari, Opera and utility tools like LastPass can be disillusioned to give away users personal information which the browsers fetch from the autofill systems linked with the profiles.

The attack relies on tricking the users when the users enter the information in any of the boxes the autofill will enter other information in any of the other boxes even ones that are not visible on the page. What happens here is when the user intends to give up only the basic information the phisher gets hold of all the information stored by the autofill. Needless to say, the phisher will also be getting hold of other information including credit card information, mailing addresses, and other services which the user has signed up for. If interested you can check out this demo site which will ask you to enter your email and name but once submitted displays other personal information using your cell phone number and date of birth.

However, Firefox seems to be the only browser that is immune to such attacks since it is yet to support multi-box autofill system thus cannot be lead to fill in other information without activating the text fields. The phishing attack still relies on tricking the users by prompting them to at least enter some information using the autofill and then the coast is clear for the attackers. Adding to the woes is the fact that autofill is turned on by default in some browsers including Google Chrome and it is advised to toggle it off to save oneself from such an attack. In the meanwhile also look out for scrupulous pages before giving out any data.

Source: Guardian

Weekly Newsletter

Sign up for a specially curated Tech Newsletter.


Leave a Reply

Your email address will not be published.

  1. There are not going to be many systems that will protect you against phishing attacks but if you limit tools that auto-fill, you will certainly increase your chances against those attacks. Another point, avoiding sharing your passwords on any tools, such password managers, will reduce your risks of insider threats. There is only 1 password manager out there that does not ask you to enter your passwords and/or save them-it’s called PasswordWrench. They have a new approach using a combination of password cards and hints that only you control. Even your spouse won’t have any clue what your passwords are even you lay everything down on a table. When nobody knows your passwords and even the tools you use, that’s when you can use the word “safe” and “secure”. They don’t have auto fill on a form but they provide easy access with a few mouse clicks that you control. This will help you against phishing attacks, keyloggers, hidden cameras and more.