We all like to use the autofill and built-in password manager features offered by Internet browsers as well as some third-party password managers in order to save time and avoid the trouble of remembering dozens of credentials. However, a new phishing attack might make you think twice before using the feature again. The phishing attack, discovered by a Finnish Web developer and hacker, tricks browsers as well as password managers into giving away users' credentials using a fairly simple trick.
Finnish Web developer and hacker Viljami Kuosmanen has found that Google's Chrome, Apple's Safari, as well as Opera, and password manager app LastPass, can all be tricked into leaking a user's personal information through their profile-based autofill systems, reports The Guardian. Kuosmanen discovered that whenever a user tries to fill up a form on the webpage, the autofill systems fill up the boxes even if they are not visible on the page.
This effectively means that while filling up the forms, the autofill system can potentially give away users' sensitive information if they confirm the autofill - even if only for a few visible fields. Chrome browser's autofill option is switched on by default and stores information such as email addresses, phone numbers, credit card information etc., as pointed out in the report.
Interestingly, Kuosmanen has also made a website to demonstrate how the process works. The webpage asks users to write their name and email address and has the boxes for mobile number and address hidden from plain site - the browser then proceeds to autofill this additional information without knowledge of the user.
In order to ensure protection against such a phishing attack, users are advised to switch off the features from their browser