A Finnish web developer discovered that “autofill profiles” now offered on certain browsers provides hackers with a new phishing vector. Autofill profiles allow users to create a profile containing preset personal information that they might usually enter on web forms. When a user fills in information for some simple text boxes, the autofill system will input other profile-based information into any other text boxes on the page, even when they are not visible on the page to the user and, from there, the hacker harvests additional autofilled personal information without the user’s knowledge.
Autofill profiles are not to be confused with form field autofilling behavior, which allows the user to fill in one form field at a time with data previously entered in those fields, while autofill profiles in browsers enable users to fill in an entire web form with one click.
The Finn, Viljami Kuosmanen, discovered this vulnerability and tweeted a gif that demonstrates the issue (you can access it here). Kusosmanen was annoyed with his browser autofilling wrong fields on an ecommerce site. He checked what details the browser had saved for autofill about him and was surprised about how much information was available, Kuosmanen told Bleeping Computer. He then probed to see what form fields the autofill feature would fill in, then thought to test hidden form fields. He found that if a user decides to autofill two visible fields, other hidden fields will be filled as well, as they are part of the same form (even if the user can’t see them because they’re hidden or moved outside the user’s screen. This could include a wide range of personal information potentially including addresses, phone numbers and even credit card information.
Kuosmanen’s demo of the issue consists of a basic web form with just two fields: name and email. His demo shows that what is not visible — unless looking at the site’s source code — are a half dozen hidden fields (Phone, Organization, Address, Postal Code and Country). “I had known about this issue for a long time,” said Kuosmanen. “A similar thing (honeypots) is used to trap bots in forms to avoid spam. This is the same idea, just trap real browser users instead of bots.”
Here’s the good news: users can avoid the risk by disabling the autofill feature in the browser or extension settings. Spread the word!