Browser autofill is a feature in a web browser that is meant to make filling forms on websites much easier and faster for the users. Browser autofill is a very helpful tool when you are purchasing goods or signing up for some program. Your name, contact details and maybe even payment information is already filled in the form, just click submit and you are good to go. Super easy and fast, who wouldn’t like that?
The problem with autofill
The problem with browser autofill is that phishers are able to abuse this feature. This means that they trick you into thinking that you are only filling and sending, for example, your name or email. However, what actually is happening is that the website owner has hidden the other form fields and the autofill feature is filling them without you seeing it. Hiding the form fields is not hard and it doesn’t require much to hide the fields.
This is scary, as your home address and even credit card details might get stolen. Home addresses and credit card details are very popular fields in forms because online shopping is so popular nowadays. This means that most of the browsers remember your home address and maybe even payment information and therefore they are able to autofill these details. You really don’t want to lose your credit card details while signing in to a harmless looking email list to receive monthly new recipe ideas.
This attack, however, needs you to use the autofill feature. This means that when the browser suggests the information to fill in, you click it to do it. If you don’t, the attackers won’t get anything more than you have typed in. If the form being filled requires your name and email, I’m pretty sure that most of us are too lazy to type our email address at least, if it’s being suggested by the browser.
Phishing
I mentioned that phishers abuse the autofill feature, but what actually is phishing and who are the phishers. I will quickly explain these, so you can have a better understanding of what these things are and why you really don’t want your personal information to get into the wrong hands.
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details. In this case, it might include your home address, email address, phone number or any other form information stored by the browser. The stolen information is often used for malicious reasons, such as credit card frauds, identity thefts, email spam or to even carry out targeted cyber attacks.
Phishers are the people with malicious intents, they are commonly just making money stealing other people’s information and selling it forward to someone who is then actually using it to their own benefit. Credit card information is sold a lot on the internet as well as email addresses. Someone can use your credit card to make purchases from your account and email addresses are added to spam lists to make you receive more shady links and maybe falling into another scam.
User-friendliness versus security
This browser autofill issue can be said to be the old battle between user-friendliness and security. When things are made easier for the user and automated, it often creates new issues that have to be solved in some way. Browser autofill is not an exception, it’s a great feature designed to help us and make filling forms much faster, but it had a downside as it can be abused very easily to steal information.
There are a few ways you can reduce the risk of being affected by this issue. The first and most secure way of dealing with this issue is to disable the autofill feature completely. I personally did this as I don’t mind filling in my details every time I buy something.
If you are purchasing a lot of products from online stores, it might be very frustrating for you to fill the same information over and over again. A way to avoid falling into this phishing attempt is to only fill forms in sites you trust, to be accurate, you shouldn’t even visit sites you do not trust.
Creating an account to the site, you buy the products is a good practice as they usually store your information if you want them to. Most online stores have a button to click to save payment information for later purchases. One thing to keep in mind is that if their site gets compromised, all your personal information is in danger. This is why I stick to the first solution and just type everything myself.
Proof of concept
Below you can see a GIF that proves the autofill being abused. You can also check it from GitHub.
GIF made by Viljami Kuosmanen, a Finnish web developer, who discovered and successfully exploited the browser autofill feature.
Turning off autofill in different browsers
Below are simple guides on how to turn off the autofill feature in different browsers.
If you have decided to turn off the autofill feature, it is a good idea to clean the entries saved on the browser. This can be done from the browser’s autofill settings.
Keep in mind that different browser has this feature implemented in different ways, not every browser is affected by this, or have autofill even enabled automatically. I still think it’s a good idea to play safe and disable the autofill. At least for me, it feels a bit unnecessary as I don’t really need it and I feel safer not to use it at all.
Chrome
- Start by opening the Google Chrome browser
- Click the three dots in the top right corner
- Select “Settings” from the drop-down menu it opens, it opens the settings tab
- Scroll down to the bottom and click “Advanced Settings”
- Locate the “Passwords and Forms” section and click the “Autofill settings”
- Click the switch to turn autofill off
Safari
- Start by opening the Safari browser
- Click on the “Safari” word on the top left corner of the desktop
- Select “Preferences” from the menu
- Find and click the autofill tab
- Uncheck “Using info from my Contacts/Address Book Card” and “Other Forms”
Firefox
- Start by opening the Firefox browser
- Click the button with three stripes in it, you can find it from the top right corner
- Select “Options” from the drop-down menu, it opens the settings tab
- Click the “Privacy & Security”, which is located in the left of the settings page
- Locate the “History” section and select “Use custom settings for history” from the bar
- Uncheck the “Remember search and form history”
Opera
- Start by opening the Opera browser
- Click the “Menu” button in the top left corner
- Select “Settings” and a new window appears
- From the new window, select “Privacy and security”
- Locate the autofill section and uncheck the “Enable auto-filling of forms on webpages”
Microsoft Edge
- Start by opening the Microsoft Edge browser
- Click the button with three dots on it, it’s located in the top right corner
- Click “Settings”
- Scroll down and click on “Advanced settings” at the bottom of the settings
- Locate the Autofill settings and click on the switch to turn autofill off
Internet Explorer
- Start by opening the Internet Explorer
- Click “Tools” in the top right corner, the icon looks like the usual settings cogwheel
- Select “Internet Options”, it opens a new window
- Select “Content” from the top menu of the window
- Locate the “AutoComplete” section and click “Settings”
- Deselect the box next to “Forms and searches”
Third-party autofill tools
If you are using a third-party autofill tool, you might want to stop using them. LastPass had their own autofill plugin, which made using strong password very easily. However, the LastPass plugin was also easy to trick into giving sensitive information in this kind of attacks.
Conclusion
I personally believe that the best way to deal with this kind of phishing attacks is to disable autofill completely. You can avoid losing all your information just using common sense, but I always like to take the extra step to achieve a bit more control over my own details.
If you buy a lot of products on the internet, it is understandable that you don’t want to fill in your details every time. Just keep sure that you are not visiting shady sites or filling out any forms in any sites you do not trust. A simple email list signs up can in the worst scenario make you lose your credit card details.
Whatever is your own solution for these types of phishing attacks, remember to always use common sense. It can save you a lot of money and effort.
