Some browsers allow hackers to steal data via the autofill functionality

Autofill browser feature enables hackers to steal private data

Image credit: Pexels

Hackers can abuse the autofill feature available on most web browsers to launch phishing attacks and steal confidential data without the users knowing.

Finnish web developer and hacker Viljami Kuosmanen, who discovered the threat, said the autofill functionality, which enables users to fill in lengthy forms with a single click by using stored profiles, would be best avoided altogether.

What happens is that while the user might think he or she is only sharing their name and email address with a particular web site, the scammers may secretly ask the browser for further information such as telephone numbers and address details.

The fact that the browser is sharing much more than it appears to be can only be revealed by accessing the source code of the given website – something that the vast majority of regular users don’t do.

The browsers don’t recognise that some of the automatically filled boxes are hidden away from the sight of the user.

Google Chrome, Apple’s Safari and the Opera browser all have the vulnerability. Mozilla’s Firefox is safe for now as it doesn’t have autofill as yet. However, Mozilla’s engineers are already reportedly developing the functionality for the browser.

Fortunately, credit card information and other financial information can’t be stolen as easily, because requesting such data prompts the browsers to verify whether the website requesting the information is using HTTPS – a standard protocol for secure communication over a computer network. If not, the browser would trigger additional warnings.

Kuosmanen’s demonstration of the vulnerability is accessible on github.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close