The Danger Behind Autofill

Although many of the big name browsers have integrated Autofill capabilities to simplify life for consumers, it doesn’t necessarily mean they should be used.

Autofill is the feature that fills out form information for you when the browser recognizes what the field is asking. For example, if you are filling out an online form and select the autofill option that pops up, the rest of the known fields will automatically be populated with information that has been previously filled out on your browser including name, email address, phone number, and home address. By default, autofill is active when the browsers are installed on a device. For better explanation, see the example Autofill form created by Computer Hope.

How can this be abused?

A site structured to phish for your information may ask you to fill out a simple form that appears seemingly harmless. If the unsuspecting victim uses Autofill on this innocent form, extra information given by the browser can added in, even if the user doesn’t see it. By entering your name you could accidentally provide your email, phone number, or address to a phishing site.

This exploit was able to be recreated by Viljami Kuosmanenand, who placed the code on GitHub as a demonstration of how this act of phishing works. Below is the demonstration of Autofill phishing in action:

Image by Viljami Kuosmanenand on GitHub.

You are not forced to utilize Autofill by any means. Disabling Autofill is similar across the major browsers in use today:

Select the Chrome menu icon on the top right of the browser > Click “Settings” > Click “Privacy and Security” under Advanced Settings > Switch AutoFill from On to Off.

Select the Firefox menu icon > Click on “Options” > Select the Privacy icon > Click “Use custom settings for history” > deselect the box for “Remember search and form history” > Click OK.

Click the Customize menu button > Select “Settings” > In the Privacy and Security Tab, deselect the checkbox for Autofill.

In the browser, select “Safari” > Click the “Autofill” tab in the Preference Window > Uncheck the box for Autofill.

Internet Explorer:
Click the Tools gear on the top right > Select “Internet Options” > Select “Content” tab > Click on “Settings” in the AutoComplete section > deselect the box for Forms and User Names and Passwords on Forms. > click “OK” > click “Delete AutoComplete History” > Check Form Data and Passwords > click “Delete” > click “OK”.

It’s up to you whether you choose to utilize Autofill or not, but always be conscientious about the integrity of the website you are giving information to. One can never be too safe when using the internet.