We all owe a big high-five to whoever first figured out autocomplete. It’s probably spared us from a collective lifetime spent repeatedly filling out tedious info every time we log into or sign up for a new account. Unfortunately, some lowlife hackers may be hijacking the feature in a number of the most popular web browsers, in order to surreptitiously steal your personal info, including your credit card number, without your ever knowing about it.
Basically, scammers are putting hidden text boxes onto websites that are “auto-completed” on the sly with things like your address and credit card number, when all you thought you were doing was submitting your name or email address. Fortunately, it’s pretty easy to protect against.
This is why I don’t like autofill in web forms. #phishing#security#infosecpic.twitter.com/mVIZD2RpJ3
— Viljami Kuosmanen ⭐ (@anttiviljami) January 4, 2017
The potential for such a phishing scam was first discovered by a Finnish developer, who realized that it’s fairly simple to poach info from people by planting rogue text boxes on a particular target page. That’s because many browsers’ autofill systems work by automatically plugging in pertinent stored info — your mailing address, phone numbers, credit cards, etc. — into blank text boxes in an online form. By attempting the scheme himself, he found that would-be scammers could simply add additional “hidden” boxes to the page, and trick people into giving away more info than they intended to.
Affected browsers include biggies like Chrome, Safari, and Opera, as well as extensions like the password manager/form filler LastPass, which is perhaps an even more obvious target. So, if you’re currently using any of these, it’d be wise to head to your Preference menu and temporarily disable the autofill feature until a security patch is pushed out.
Source:
