This simple phishing attack can steal your browser autofill data

Your browser might be inadvertently exposing personal data to phishers and attackers because of a flaw in how data is automatically filled on some websites.

Finnish hacker and security researcher Viljami Kuosmanen found that a webpage with form fields hidden from the user will be filled anyway, thanks to the browser's autofill feature, which automatically populates fields, such as names, addresses, and even credit card data.

In the case of Chrome, which autofills data by default, a phisher could trick a user into turning over more personal data than they realize. If the fields on the page are hidden, the user may be none the wiser.

In Kuosmanen's proof-of-concept posted on Github, he was able to obtain a user's address and credit card number, expiration date, and card security code.

Here's how it works:

Several browsers including Google Chrome, Apple's Safari, and Opera are affected by the bug.

But Firefox is said to be immune to the bug, according to Mozila security researcher Daniel Veditz, who said in a tweet that fields that can't be clicked by the user won't be autofilled.

Some browser extensions, such as LastPass, can also be tricked into turning over user data.

ZDNET INVESTIGATIONS

Researchers say a breathalyzer has flaws, casting doubt on countless convictions

Lawsuits threaten infosec research — just when we need it most

NSA's Ragtime program targets Americans, leaked files show

Leaked TSA documents reveal New York airport's wave of security lapses

US government pushed tech firms to hand over source code

Millions of Verizon customer records exposed in security lapse

Meet the shadowy tech brokers that deliver your data to the NSA

Inside the global terror watchlist that secretly shadows millions

198 million Americans hit by 'largest ever' voter records leak

Britain has passed the 'most extreme surveillance law ever passed in a democracy'

Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it

Leaked document reveals UK plans for wider internet surveillance

• Researchers say a breathalyzer has flaws, casting doubt on countless convictions
• Lawsuits threaten infosec research — just when we need it most
• NSA's Ragtime program targets Americans, leaked files show
• Leaked TSA documents reveal New York airport's wave of security lapses
• US government pushed tech firms to hand over source code
• Millions of Verizon customer records exposed in security lapse
• Meet the shadowy tech brokers that deliver your data to the NSA
• Inside the global terror watchlist that secretly shadows millions
• 198 million Americans hit by 'largest ever' voter records leak
• Britain has passed the 'most extreme surveillance law ever passed in a democracy'
• Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it
• Leaked document reveals UK plans for wider internet surveillance