Saturday, June 30, 2018

Have you disabled autofill in your browser?

I was, at one time, an autofill user. How convenient for me that my browser fills in the answers for me in various web form fields, like name, address, phone number, zip code, etc. It's possible to input credit card data this way as well, although I never enabled that feature.

More recently, I disabled the autofill capability in my preferred browser, which happens to be Google Chrome. I did this because the bad guys figured out a way to cull this information without the user's knowledge.

How they do this is quite simple. The user clicks a link in a targeted phishing email and is redirected to the attacker's web page. A form on the page shows some blank fields—such as first name and last name.

With autofill enabled in browser settings, and with a single click, the user chooses to automatically fill the name fields, unaware that there are hidden fields on the page that are automatically filled as well—only with more sensitive information than just a name.

Note that if you use a password manager program (such as LastPass), it may have an autofill feature enabled.

For more information, see https://www.social-engineer.com/disable-autofill-browsers/.

No comments:

Post a Comment