Browser autofill data can be phished; how to stay safe
Securecast.com, a security awareness and anti-phishing solution, has deployed a free autofill test tool with updated guidance on how to stay safe in regards to browser autofill features.
The autofill function on your browser is convenient to help complete web forms quickly but did you know that many browsers will autofill hidden fields and provide a lot more data then you may be aware of? Earlier this month a web developer and hacker published how the autofill functionality on your browser such as Google Chrome, Safari, Internet Explorer, Opera and browser plugins like LastPass can be easily exploited into giving away far more data than you might intend simply by visiting a webpage.
How it works: it starts when an end user visits a phishing site that may look a lot like a trusted website or may be the result of a phishing email directing an end user to a phishing lure page. The webpage will have a simple form or text box where the end user will enter basic data such as name or email address. At this point the browser's autofill will attempt to auto-complete those fields in view and potentially several other hidden fields the user may not see collecting additional data such as: Credit Card, Social Security Number, Address, Phone, Etc.
With phishing on the rise worldwide accounting for over 90% of data breaches and continuing to be the number one end user hacking method, the Securecast team believes this recently publicized autofill vulnerability will present a serious risk to end users and organizations globally. Risks from Phishing include ransomware, username and password breach, identity fraud, financial loss from credit cards, W-2 breaches that leads to tax refund scams, wire fraud and data loss all start with a simple phishing attack and are amplified by this autofill risk.
Best practice suggests disabling autofill until browsers stop auto completing hidden fields.