• Martin Thoma
  • Home
  • Categories
  • Tags
  • Archives
  • Support me

Autofill Phishing

Contents

  • Autofill Phishing
    • Check if you are affected
    • Solutions
      • As a user
      • As a developer
    • Overview
    • See also

Autofill phishing is a simple technique I wasn't aware of until a few hours ago. It simply uses the fact that we are so used to filling out forms, that we usually let our Browser fill out the forms. Maybe we check if there is data which we don't want to submit and remove that. However, the browser (tested with Google Chrome 55) also fills out forms which we can't see.

Check if you are affected

  1. Go to martin-thoma.de/autofill-phishing/?hidden=margin
  2. Fill out the displayed items with autofill
  3. Click on submit. It will show which data was submitted by you.

I do not store this data.

Solutions

As a user

Disable autofill.

For Chrome, go to chrome://settings/search#Enable%20autofill and uncheck it:

Autofill settings in Google Chrome
Autofill settings in Google Chrome

As a developer

Show the user a pop-up which displays which information is filled in (with checkboxes so that the user can decide not to fill certain items). I've heard Safari does something like this (Screenshots are welcome, if you have Safari)

Overview

Browser margin display hidden
Google Chrome 55 Affected Ok Ok

If you have another Browser, feel free to test it and leave a comment what is (not) affected. Alternatively, you can send an Email to [email protected].

See also

  • The Guardian: Browser autofill used to steal personal details in new phishing attack, 10.01.2017.
  • Autocomplete Types

Published

Jan 14, 2017
by Martin Thoma

Category

Cyberculture

Tags

  • Browser 4
  • IT-Security 12
  • Phishing 2

Contact

  • Martin Thoma - A blog about Code, the Web and Cyberculture
  • E-mail subscription
  • RSS-Feed
  • Privacy/Datenschutzerklärung
  • Impressum
  • Powered by Pelican. Theme: Elegant by Talha Mansoor