Browsing online can sometimes feel like navigating a minefield. It’s filled with hidden traps, foxholes, and other hidden dangers that can hurt you when you least expect it.
These days, nothing seems safe online – there’s always an enterprising hacker poking holes on every would-be stalwart system out there. For either black hat or white hat reasons, a vulnerability is always waiting to be discovered.
And who knew even one of the conveniences of modern browsers can be exploited to do more harm than good?
I’m talking about a browser’s Autofill feature – that time-saving convenience that automatically populates a website’s fillable forms with your saved data, including your name, address, email and credit card information.
As Finnish security researcher Viljami Kuosmanen discovered, a thieving phisher can steal this Autofill personal data by using hidden fields on a webpage. The worst part is, you won’t suspect a thing.
In his proof-of-concept example posted on Github, he demonstrated how Chrome, which can auto-fill data by default, can be used to extract user information, including credit card numbers, expiration dates, and security codes by merely embedding hidden fields, which are then automatically filled by the browser.
Additional browsers aside from Google Chrome are likewise exploitable, including Apple’s Safari and Opera.
However, Mozilla security researcher Daniel Veditz tweeted that Firefox is immune from the bug since this browser won’t auto-fill fields that can’t be clicked by the user.
currently field by field. Apparently we want to do a multi-field autofill (bug 990176) which could cause probs
— Daniel Veditz (@dveditz) January 10, 2017
How to turn off Autofill
It looks like unless the said affected browsers are patched, the only fix for now is to turn off the Autofill feature.
To turn it off in Chrome, click the three vertical dots on the upper-right corner of your browser, select Settings, scroll down and click on “Show Advanced Settings” then uncheck “Enable Autofill to fill out web forms in a single click.” Additionally, you can edit what information is being auto-filled by clicking “Manage Autofill settings.”
If you’re using Safari on a Mac, with the browser open, click on Safari on the menu bar, then click on Preferences and go to the Autofill section. Here you can select and uncheck the Autofill data that Safari uses.
Although Firefox is reported to be safe against the bug, if you still want to edit your Autofill settings on this browser, click on the three horizontal stripes on the upper-right corner, select Options, go to Privacy, click on the “Firefox will:” drop-down box on the History section (it is set to “Remember history” by default) and select “Use custom settings for history.” To prevent Firefox from storing autocomplete form data, uncheck “Remember search and form history.”