Don’t be suckered by the Safari Autofill phishing threat

Warning: It’s possible you may be sharing more information than you think when you use AutoFill in your Web browser, unless of course you know what to look for.

Finnish web developer and hacker Viljami Kuosmanen has found that some web browsers, especially Google’s Chrome, can be tricked into giving more of your personal information than you think you are sharing when you use AutoFill.

That’s particularly bad when it comes to confidential information like phone numbers, email addresses, home address details or even credit card data.

Chrome users are most impacted because the browser’s autofill system is left on by default, Safari users should also beware to check what it is autofill is filing on their behalf, so here is what to do pending a fix.

FireFox users are not impacted by this problem, as that browser handles this differently.

What happens:

  • When you use AutoFill to input data on a website you may be surprised to learn that data will be entered into any entry box that is situated on the page, even if you can’t see it.
  • Hackers can exploit this by placing hidden boxes on the page to request any of your AutoFill information, while only making relatively innocuous boxes visible on that page.
  • You can think you are only entering your name and email as this example shows (don’t file any information, just look)
  • You will think you are putting in less data than you actually are.
  • The only way to avoid entering this data is to decline using AutoFill and fill in the data you are prepared to share manually.
  • Some users are known to have created limited identity profiles for use with AutoFill in order to protect themselves against such threats.

Safari tips

Safari warns you about what information it is about to file. If you try the example above you will see a warning that AutoFill is about to fill your email, phone number and address once you enter your name. You should not ignore such a warning — it’s not an error — because even though the page says it is only asking for your name and your email it has hidden requests for your other data.

What should you do?

Chrome users should switch off AutoFill to prevent themselves falling prey to this problem, while Safari users must beware that the information they are warned they are about to share matches the information they think they are about to share using AutoFill.

Assembling information like this is a key element to Phishing attacks. If used in conjunction with the huge quantities of data recently stolen (as per, for example, the Yahoo hack) it is possible phishers using such attacks could figure out at least some of the passwords associated with your account, using these for deeper intrusions.

So be careful out there. But Safari users need not panic, just be sure to read the warning.

And Google really should prioritise user security more.

LINK: The Guardian

 

Jonny Evans

Watching Apple since 1999. I don't say what they should do. I say what they might do. They sometimes do.

8 Responses

  1. j says:

    You should mention that Firefox does not have this issue.

  2. Phil Kalina says:

    I tried your example by entering my name. Autofill also put my email in the field, but I did not get any warning message from Safari. Thanks for your article, but I’m not sure I can trust Safari to warn me about this issue.

    • Jonny Evans says:

      yeah you can but warning is not obvious, so be wary

      • Jonny Evans says:

        (this is also why I wrote this as warning is easy to miss/ignore, so you — my readers — deserve and need to know this. Trying to help you with things like this is my job!

  3. Phil Kalina says:

    I see what you mean now, so I’ll be watching this in the future. Thanks!

  4. FreddyJ says:

    I must be blind — I do not see the warning that Phil and Jonny see.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.