Popular browsers such as Chrome, Safari, Opera and extensions such as LastPass, can be tricked into leaking private information using hidden text boxes, a Finnish developer has revealed.
Autofill is great for those who spend a lot of time typing the same pieces of key personal data into websites, but a new phishing attack that has affected numerous web browsers highlights its dangers. According to The Guardian, by using hidden autofill boxes hackers can glean information from common web browsers, and even out of sites like password manager LastPass, long argued to be one of the gold standards in its industry.
For example, a site that asks users to enter their name and email address may contain hidden text boxes planted by the hacker. If the user’s browser is setup to autofill, then those hidden boxes will be completed as well. All someone has to do is add hidden autofill boxes for physical addresses, phone numbers, credit card numbers, and even Social Security numbers.
“I hate entering my Social Security number on a webform, but as a freelance writer I sometimes have to in order to get paid,” explained one user. “I contacted a small company I’d previously done work for because I went to update my profile with them and my SSN autofilled itself, right there on my screen. They told me they don’t store that kind of information, that it was my web browser that had filled it in.”
In that particular case, the writer saw her information on the screen. However, if someone had attached a hidden text box to another website, the browser in theory could hand over the SSN and any other highly sensitive information.
Fortunately, there are some quick fixes to avoid this threat. First, it relies on you autofilling at least some information, so you’re not likely to be a victim just from random web activity. More importantly, you can disable the autofill feature in your browser and extensions to keep the rest of your data from accidentally popping up.
Another bit of good news for some, is that Mozilla’s Firefox is immune to the problem, as it doesn’t currently use a multi-box autofill system and cannot be tricked into filling text boxes by programatic means, according to Mozilla principle security engineer Daniel Veditz.