Wow, great demonstration. I'd never thought about this being exploited. I wonder if the fix could be something as simple as the browser only allowing non-hidden [Edit: "not visible to the user", I should have said, as this does not appear to auto-fill <input type="hidden"> ] fields to be auto-filled. Otherwise, a warning about what auto-fill information (IE "Your name and credit card information are going to be submitted, continue?") has been filled in would be a nice touch. Maybe a browser extension could accomplish this?
Wow, this seems like such an obvious attack vector that I just assumed it was somehow mitigated (somewhere, magically, I suppose). Does it even require the user to press the Submit button, i.e. could the site's JS trigger the POST request after the event of the autofill?
This could be solved by improving the autofill UI to tell you all the data it is filling into the form, even if it isn't visible to you.<p>Currently, when I trigger autofill in Chrome, it tells me the full suite of information it can input for a certain profile (name, address, company, etc), but it doesn't tell me which bits of information are actually being used. Something as simple as placing checkmarks in this popup next to the information that is actually being used could communicate this better.
In case anyone is worried, most (all?) browsers do not autofill credit card information without the user explicitly clicking into the credit card field so there's no chance of a hidden field stealing your CC information.
I wrote about this a while ago: <a href="https://medium.com/@stabbles/why-you-should-disable-autofill-bf2e15c65b5c" rel="nofollow">https://medium.com/@stabbles/why-you-should-disable-autofill...</a>
I found this <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=132135" rel="nofollow">https://bugs.chromium.org/p/chromium/issues/detail?id=132135</a> which was created when someone noticed the issue happening to their honeypot input box. Looks like it was closed a while ago.<p>I saw this example doing the rounds on twitter. Hopefully the chrome devs notice the noise and move up the priority on fixing / addressing it.
This is why I never put anything secret into browser autofill data. No credit cards, <i>no passwords</i>, nothing I would not be OK with disclosing publicly, or already did.<p>Sensitive info belongs to a password manager which limits it to the domains the data belong.<p>Credit card numbers are a pain, though. I could put them to a password manager, and manually select to fill only that particular field when I need to. In reality I rarely buy things where PayPal or Amazon payment options are not available; I suppose Stripe offers a similar service.
This vulnerability was published (another article) over a year ago. I'm surprised Chrome hasn't fixed it.<p>I think this means browsers will never fix this issue. I won't be using auto-fill on untrusted webaites.
I'd rather have only the field I selected autofilled and be given a secondary option to have every field (or maybe choose which fields) in a form autofilled. This bothers me in innocent, non-phishing forms too—especially when the designers don't put labels on the fields and only use placeholders, which I can no longer see after autofill.
LastPass prompts every time before autofilling your CC# into a form, so it might avoid this issue in that case.<p>I do believe it would still fail exposing your basic info, such as in this example, however.
Yes! I always had this itch whenever I filled out a field and had the other fields pre filled by chrome. I actually thought that maybe there were type="hidden" that could have been filled and sent (although as someone points out those aren't but it isn't hard to hide an input with CSS). But the main point is: whenever I did that I was usually OK with sending out the rest of the information which either was outdated or I was consciously aware of it.<p>However, a lot of users might not have that conscience and might be giving out information which they didn't want to. It would be great to shame websites that were employing these shady techniques, but the solution must come from Chrome. Chrome devs: by default only auto fill one field and on the drop down have as the last option to do what you do now, so that you're sure that the user has consciously chosen to auto fill all fields * have a little disclaimer saying this possibility *. That way you get the best of both worlds with an extra key down
Fillr autofill app requires users to approve every piece of data before autofilling a form. Makes it easy to know when a site is trying something shifty. Dashlane also lets you pick exactly what to fill. Native browser autofills have been battling phishing exploits since early IE days.
I really with that browsers didn't autocomplete ever. I've had instances where they will happily auto-complete my entire credit card number. Usually, they'll only memorize the first 4 digits, but sometimes they memorize the entire thing.
Was this filed against Firefox, Chrome, and EDGE? (it seems like the kind of PoC that you make to prove a point to browser vendors to get them to fix what should obvioulsy be fixed... if the user can't see it, no matter how that's been achieved, don't autofill that field.)
And Chrome wants to ignore autocomplete=off (<a href="https://news.ycombinator.com/item?id=11911116" rel="nofollow">https://news.ycombinator.com/item?id=11911116</a>)
This is the reason I never use the autofill beyond more than at typechecker. I still explicitly write out what I want to place in the form, and the autofill helps me avoid typos.<p>However, I always found it odd how something so prone to this kind of attack could be deployed for all non-tech savvy browser users...
I actually ran across this a while ago, but didn't think to call it phishing.<p>I was trying to create a honeypot for a front-facing web form, but because of the name I gave the honeypot field, some people's autofill information was filling out that field without them knowing.
This is a very clever hack. I've tried in the past to adjust my HTML to disable autofill and it's not possible to prevent Chrome from aggressively doing it.