There is a danger of personal information being stolen secretly if you use "auto-fill function" which automatically inputs name, mail address, address etc.

When you enter a character in the text box of the browser, you can navigate and automatically enter the registered information "Autofill"Function is very convenient because it can drastically omit annoying input work. However, it is pointed out that if you set the AutoFill function to ON, there is a danger that it will become a prey to phishing scams that easily pulls out personal information such as an address and a telephone number by using a very simple method.

GitHub - anttiviljami / browser - autofill - phishing: A simple demo of phishing by abusing the browser autofill feature

Viljami Kuosmanen, who points out the danger of the auto-fill feature, has released a sample program of phishing scams that exploit the AutoFill feature for GitHub. If you try this sample program, you can understand how dangerous the AutoFill function is in a single shot.

To try out the sample program, click "Clone or download" on the above GitHub page.

Click "Download ZIP" and save the ZIP file to your favorite place such as desktop.

The downloaded ZIP file is called "ExplzhExtract it with "index.html" in the folder and open the browser. In addition, this time, the program is opened with the default browser specified as Google Chrome.

Then, the page which took out the phishing scam which pulls out personal information secretly was displayed. Apparently it seems to be a registration page to input and send the common "Name" and "Email".

When entering "yama" to "Name", information of the name registered by the auto-fill function was navigated displayed.

Clicking the guided "yamada tarou" ......

It was automatically entered in "Name" and "Email". As expected, the AutoFill function is very convenient.

After that, if you click "Submit", the information transmission is completed.

However, if you check the form data using the Chrome developer tool (verification mode), you can see that you are about to send information such as address, affiliation, etc. in addition to the name and mail address.

The structure of this page is very simple, actually, "invisible input form" is prepared for other information such as address etc. outside the screen, and it is said that you are using AutoFill function to enter there. It is a simple technique that only users do not know that other information other than name / mail address is being input.

Using this extremely simple method it is possible to gather personal information secretly. In order to prevent the damage of such phishing scam, it seems to only turn off the auto-fill function. To turn off the AutoFill function in Chrome, uncheck "Enable automatic entry of web form with one click" in "Settings" → "Password and form" is OK.

in Review,   Software,   Security, Posted by darkhorse_log