CyberCrimeSecuritySecurity Management

Browser Autofill Profile Poses Security Risk

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Form filling vulnerability. Handy autofill profiles could potentially pose a security risk, says researcher

A Finnish web developer has warned of the dangers posed by autofill profiles, commonly found in a number of web browsers.

Unlike traditional autofill, which just populates a single blank space in a form using previous typed-in information, an autofill profile holds much more data about the user and allows a user to autofill an entire web page, often with just with one click of the button.

It is a handy feature for users regularly filling in online forms, and it should be remembered that autofill profiles are only currently used by Chrome, Safari and Opera. Mozilla is developing the option, but at the moment, Firefox and Edge don’t support autofill profiles.

data-breachProfile Risk

The risk associated with autofill profiles was highlighted by Finnish web developer Viljami Kuosmanen, who published a demo on GitHub.

He became interested in the issue after he became irritated at how much information was stored on him by Google Chrome.

Kuosmanen’s demo show how an attacker could take advantage of those browsers that support autofill profiles. He demo consists of a simple web page containing a Name and Email input field, along with a Submit button.

If the user has an autofill profile setup to populate those two fields, it could allow an attacker to gather much more information than first thought.

This is because an attacker could for example place hidden fields in that web page, such as fields asking for telephone, organisation, address, postal code, and country. These fields would be invisible to the user, who would not be see them unless he or she examined the web page’s source code.

“I had known about this issue for a long time,” Kuosmanen told Bleeping Computer. “A similar thing (honeypots) is used to trap bots in forms to avoid spam. This is the same idea, just trap real browser users instead of bots.”

“The idea for the demo came after I was annoyed about Chrome autofilling wrong fields on an ecommerce site. I then went on to see which details Chrome had saved for autofill about me and was surprised about how much information is available,” Kuosmanen added.

He then conducted an experiment to see the range of form fields Chrome would fill in, and he eventually got the idea of testing hidden form fields.

“I thought it would be a good idea to demonstrate this issue as a gif and shared it on Twitter,” Kuosmanen said.

Switch It Off

Browser users are reminded that they can turn off the autofill profiles, which may be a good idea as autofill profiles tend to turned on by default.

And this is not the first time that concerns have been raised about autofills.

In 2010 Apple patched a Safari autofill bug after a researcher found it was possible for attackers to abuse Safari’s AutoFill feature to steal names, addresses and other information from users.

Quiz: Are you a security expert?