Could AutoFill Be Exposing Your Sensitive Data?
We all know the pain of having to fill out an extensive list of personal details every time we want to buy or sign up for something online. And we have all experienced the relief when a drop-down menu pops up and offers to fill in all the information for us with a single click. This is an AutoFill feature that various browsers such as Chrome, Safari and Opera have added for the convenience of their users, but did you know that this feature can also be manipulated by cyber-criminals in phishing attacks?
Because all this sensitive data is stored on your browser when you click the ‘AutoFill’ option your browser will provide all of this data rather than only the ones relevant to the visible fields. Cyber-criminals can create hidden fields that the browser will fill out without your knowledge when you may have just been trying to fill out your name and e-mail address. These forms can be created and used in spurious links in phishing e-mails, luring you to click on a website that looks legitimate but is actually a fake created by a cyber-criminal.
<< To find out more about how these attacks work see our blog post about how to recognise a phishing attack >>
A Finnish web developer called Viljami Kuosmanen created this demo to illustrate how an attack like this could work. His findings are as follows:
Gif found on https://github.com/anttiviljami/browser-autofill-phishing
As you can see, the only forms visible to a user are the name and e-mail address fields, but because of AutoFill and the use of hidden fields means that a hacker can access a phone number, company name, address, and phone number that the user did not intend to submit. This could be developed to provide even more details such as card details and passwords.
What can I do to stay safe?
Protecting yourself from this type of attack is quite simple, but it will depend on the type of browser you are using.
- If you use Chrome click the three-dot button in the top right corner of your browser and select ‘Settings’, then click ‘Advanced’ at the bottom of the page. You will see ‘AutoFill settings’ where you can turn this feature off.
- If you use Safari, go to Preferences, then AutoFill where you can evaluate all types of information you want Safari to fill in automatically. The same can be done on an iPhone by going to your iPhone settings and finding the Safari section where you will see the AutoFill tab.
- If you use Opera, click the Opera button, go to Settings, then Privacy & Security where you can scroll down to “AutoFill ” and uncheck “enable auto-filling of forms on web pages.”
It’s a shame that features like this that are designed to make life more convenient for us can also put us at great risk. But the main thing to remember is that cybersecurity should not be quick and easy. It is very important to keep your devices and your sensitive data as secure as possible, so if that means filling out information manually and spending a bit more of your time then it is worth it.
If you are concerned about your cybersecurity then get in touch with Xenace. We offer fully managed IT support that guarantees to keep your business safe online as well as offer lots of other great benefits. Have a look at our website to find out more.