Autofill phishing is a simple technique I wasn't aware of until a few hours ago. It simply uses the fact that we are so used to filling out forms, that we usually let our Browser fill out the forms. Maybe we check if there is data which we don't want to submit and remove that. However, the browser (tested with Google Chrome 55) also fills out forms which we can't see.
Check if you are affected
- Go to martin-thoma.de/autofill-phishing/?hidden=margin
- Fill out the displayed items with autofill
- Click on submit. It will show which data was submitted by you.
I do not store this data.
Solutions
As a user
Disable autofill.
For Chrome, go to chrome://settings/search#Enable%20autofill and uncheck it:
As a developer
Show the user a pop-up which displays which information is filled in (with checkboxes so that the user can decide not to fill certain items). I've heard Safari does something like this (Screenshots are welcome, if you have Safari)
Overview
| Browser | margin | display | hidden |
|---|---|---|---|
| Google Chrome 55 | Affected | Ok | Ok |
If you have another Browser, feel free to test it and leave a comment what is (not)
affected. Alternatively, you can send an Email to [email protected].
See also
- The Guardian: Browser autofill used to steal personal details in new phishing attack, 10.01.2017.
- Autocomplete Types