Everybody hates filling out web forms so some browsers offer a handy Autofill feature to automate the job for you. Unfortunately, it’s handy for hackers, too.

Hackers can abuse this feature to phish for your private information as well as credit card number, expiration date and cvc. Any website can have a lot of hidden fields that might get auto-filled and submitted without your knowledge. Take a quick look yourself:

You want the latest news about Crypto?
Then follow us on Google News!


This proof-of-concept demo website consists of a simple online web form with just two fields: name and email. But what’s not visible are many out of sight fields, including the credit card information, phone number, organization, address, postal code, city etc. There’s more than one way of coding this, for example (linked demo site):

form action=”” method=”post”

p style=”margin-left:-500px”

input type=”text” name=”cc_number”

input type=”text” name=”cc_exp_month”

input type=”text” name=”cc_exp_year”


Notice the “margin-left:-500px” part that displays the text field out of the victim’s vision. This is not a regular type=”hidden” field.

The same result can be achieved by creating a specially crafted container using “overflow:hidden” attribute:

form action=”collector.php” method=”post”

div style=”overflow:hidden;height:35px;”

input id=”00″ autocomplete=”cc-number”

input id=”01″ autocomplete=”cc-exp-month”

input id=”02″ autocomplete=”cc-exp-year”


These fields would also get auto-filled along with at least one visible, regular text field which is usually put in another container within the same form.

On the plus side, this method alone cannot capture passwords saved in the browser because they’re tied to a specific domain, but that’s not going to comfort someone that lost their identity and banking information.

Browsers vulnerable to the attack include Google Chrome, Apple Safari and Opera. On the other hand, if you use Mozilla Firefox or Tor, you don’t need to worry about this issue because Mozilla doesn’t support auto-filling multiple fields at once.

Since this method was first published in 2013, Chrome’s only response was implementing a warning message when credit card information is being submitted over HTTP, I am not expecting a fix anytime soon. Fraudsters can easily obtain a SSL certificate for free so I recommend disabling Autofill feature in your browser.

If you’re using Chrome, go to Settings – Show Advanced Settings (at the bottom) – uncheck Enable Autofill box to fill out web forms with a single click (under Passwords and Forms section).