This simple phishing attack can steal your browser autofill data

Some browsers will turn over a user's autofill information -- even when the website doesn't ask for it.
Written by Zack Whittaker, Contributor

(Image: file photo)

Your browser might be inadvertently exposing personal data to phishers and attackers because of a flaw in how data is automatically filled on some websites.

Finnish hacker and security researcher Viljami Kuosmanen found that a webpage with form fields hidden from the user will be filled anyway, thanks to the browser's autofill feature, which automatically populates fields, such as names, addresses, and even credit card data.

In the case of Chrome, which autofills data by default, a phisher could trick a user into turning over more personal data than they realize. If the fields on the page are hidden, the user may be none the wiser.

In Kuosmanen's proof-of-concept posted on Github, he was able to obtain a user's address and credit card number, expiration date, and card security code.

Here's how it works:

Several browsers including Google Chrome, Apple's Safari, and Opera are affected by the bug.

But Firefox is said to be immune to the bug, according to Mozila security researcher Daniel Veditz, who said in a tweet that fields that can't be clicked by the user won't be autofilled.

Some browser extensions, such as LastPass, can also be tricked into turning over user data.

Editorial standards