The autofill systems in browsers like Google Chrome, Safari and Opera, as well as plugins like LastPass, can be easily tricked into giving away your information on web pages. Here’s how you can keep your personal information secure.
Viljami Kuosmanen, a Finnish web developer and hacker, recently discovered the exploit and shared an example of it in action on GitHub. Basically, a phishing site will have text boxes where you enter some very basic information, like an email address or first name. But when you use your browser’s autofill system to fill out those boxes, the site uses hidden text boxes to collect additional autofill information you don’t realise you’re giving away. That information could be your home address, phone number and even your credit card info.
Here’s the phishing exploit in action via Viljami Kuosmanen.
If you want to stay safe, you should always avoid sharing personal information and using utilities like LastPass on web sites you’re not completely sure of. Or you can turn off autofill completely in your browser of choice:
- In Chrome, click the three-dot “More” button in the top right > Settings > Show advanced settings > then uncheck “Enable Autofill to fill out web forms in a single click” under “Passwords and forms”.
- In Safari, go to Preferences > AutoFill > deselect all types of information you want Safari to automatically fill in.
- In Opera, click the Opera button, go to Settings > Privacy & security > scroll down to “Autofill” > uncheck “enable auto-filling of forms on webpages”.
Mozilla Firefox is currently immune to this phishing exploit because it doesn’t have a multi-box autofill system yet. You can learn more about the exploit at the link below.