
Browser auto-fill phishing - christop
https://github.com/anttiviljami/browser-autofill-phishing
======
aesthetics1
Wow, great demonstration. I'd never thought about this being exploited. I
wonder if the fix could be something as simple as the browser only allowing
non-hidden [Edit: "not visible to the user", I should have said, as this does
not appear to auto-fill <input type="hidden"> ] fields to be auto-filled.
Otherwise, a warning about what auto-fill information (IE "Your name and
credit card information are going to be submitted, continue?") has been filled
in would be a nice touch. Maybe a browser extension could accomplish this?

~~~
athenot
The <input> elements are not hidden, they are just drawn off the screen. So
the browser would have to determine if the item is visible to the user, which
is not trivial. Should autofill skip regular form elements that are just a
little below the viewport?

Maybe some feedback from the browser detailing which datapoints were
autofilled. I don't know...

~~~
jonknee
> So the browser would have to determine if the item is visible to the user,
> which is not trivial

This is not terribly difficult, browsers need to know what is visible because
they have to actually display it. If an element isn't drawn it shouldn't be
autofilled.

~~~
choward
> If an element isn't drawn it shouldn't be autofilled.

So if a form is too long and you need to scroll, all those fields you can't
see won't be auto-filled? Sounds pretty terrible IMO.

~~~
chinathrow
To me (as a non autofill user), the published bug sounds way more harmful than
a little inconvenience.

~~~
elsurudo
It's not just an inconvenience – it's broken and unexpected UI behaviour.

------
danso
Wow, this seems like such an obvious attack vector that I just assumed it was
somehow mitigated (somewhere, magically, I suppose). Does it even require the
user to press the Submit button, i.e. could the site's JS trigger the POST
request after the event of the autofill?

~~~
alexwebb2
No need for a submit click. Presumably auto-fill triggers a change event on
each affected input, but even if it didn't, an attacker could just repeatedly
check for new content in the inputs. This means an optimistic solution
(autofilling and then unobtrusively notifying the user what was autofilled) is
not viable.

~~~
bsimpson
I don't think it does trigger a change for exactly this reason. I tried to
build a Material login page a couple years back, where the placeholder became
the label when you typed. I couldn't get it to work with autofill, because I
couldn't find a vector to detect when autofill had happened. Here's a related
issue:

[https://bugs.chromium.org/p/chromium/issues/detail?id=352527](https://bugs.chromium.org/p/chromium/issues/detail?id=352527)

~~~
tyingq
It doesn't trigger a change, but you can certainly poll for non empty strings:
[https://jsfiddle.net/k91o1dw9/7/](https://jsfiddle.net/k91o1dw9/7/)

Edit: That is, for the purposes of this exploit. I understand it's ugly.

------
tiglionabbit
This could be solved by improving the autofill UI to tell you all the data it
is filling into the form, even if it isn't visible to you.

Currently, when I trigger autofill in Chrome, it tells me the full suite of
information it can input for a certain profile (name, address, company, etc),
but it doesn't tell me which bits of information are actually being used.
Something as simple as placing checkmarks in this popup next to the
information that is actually being used could communicate this better.

~~~
kalleboo
> _This could be solved by improving the autofill UI to tell you all the data
> it is filling into the form, even if it isn 't visible to you._

Safari does this already

------
error54
In case anyone is worried, most (all?) browsers do not autofill credit card
information without the user explicitly clicking into the credit card field so
there's no chance of a hidden field stealing your CC information.

~~~
stevarino
This requires the browser to recognize it as a credit card field.

Suppose a form uses a non-standard name for the field (say a localized name),
and a user enters it at a legitimate site. Any attacker simply has to find
these non-standard names for auto-complete to fill this in.

I feel like I've seen a credit card autofill before outside of normal
controls.

~~~
jazoom
But then the browser won't autofill it, so what's the problem?

~~~
sharkoz
It will if the attacker uses the same custom name for his field. The attacker
could try to suck as much data as possible by creating thousands of hidden
fields having a lot of possible combinations for the names of these non-
standard CC fields, and wait to get lucky.

------
stabbles
I wrote about this a while ago: [https://medium.com/@stabbles/why-you-should-
disable-autofill...](https://medium.com/@stabbles/why-you-should-disable-
autofill-bf2e15c65b5c)

~~~
bored
Also, malicious scripts can change the password input type field to a regular
text field and grab it from there.

~~~
talmand
There's no need to convert the input type to get the plain text value of a
password input. It just masks the input value visually.

------
thebosz
Firefox doesn't exhibit this behavior, but the site doesn't specifically state
which browsers this affects.

~~~
vog
Indeed, I'm really glad there is at least one popular browser not affected by
this.

This is one of the many examples where a privacy-first approach pays off not
just in terms of privacy but also in terms of security. In Germany we use the
term "Datensparsamkeit" for this principle. Not sure if there is a well-
established english term in the international community.

So why do other browers fill in these fields automatically? Why don't they
wait until asked by the user? Because it is more "convenient" for the user?
Moreover who benefits from that? Not the users, not the browser vendors, but
all those websites with overly long registration forms. These confront their
visitors with lots of irrelevant fields (birthday, gender, etc.) just for the
sake of collecting data. Nobody would fill all that in voluntarily, but I
guess more people will do so (perhaps accidentally) if their browser fills
that in by default.

------
daheza
I found this
[https://bugs.chromium.org/p/chromium/issues/detail?id=132135](https://bugs.chromium.org/p/chromium/issues/detail?id=132135)
which was created when someone noticed the issue happening to their honeypot
input box. Looks like it was closed a while ago.

I saw this example doing the rounds on twitter. Hopefully the chrome devs
notice the noise and move up the priority on fixing / addressing it.

~~~
Terr_
> Chrome Autofill is specifically designed to help users quickly fill forms
> that they've never filled before.

Browsers auto-guessing private data into arbitrary fields on never-before-used
webpages?

IMO that's "Just because you _can_ doesn't mean you _should_ " territory.

------
nine_k
This is why I never put anything secret into browser autofill data. No credit
cards, _no passwords_ , nothing I would not be OK with disclosing publicly, or
already did.

Sensitive info belongs to a password manager which limits it to the domains
the data belong.

Credit card numbers are a pain, though. I could put them to a password
manager, and manually select to fill only that particular field when I need
to. In reality I rarely buy things where PayPal or Amazon payment options are
not available; I suppose Stripe offers a similar service.

~~~
nucleardog
> Sensitive info belongs to a password manager which limits it to the domains
> the data belong.

So all that stands between you and being in this exact situation (or worse,
since passwords) is your password manager's url comparison?

I refuse to use LastPass - the interface is horrible (probably because you're
expected to use the browser extension). But I don't want my password manager
anywhere _near_ my browser. I'd really rather have to take an affirmative
action in order to release each individual piece of information so I know what
I'm disclosing and to who.

~~~
cbr

        your password manager's url comparison?
    

Better than manual url comparision! A surprising number of humans think things
like www.goodcompany.evil.com are urls for "Good Company", and anyone can
screw up and make mistakes checking urls (www.goodcomany.com).

~~~
ksenzee
Add Unicode and it gets worse. I don't trust my eyes to differentiate between
Cyrillic а and Latin a.
[https://en.wikipedia.org/wiki/IDN_homograph_attack](https://en.wikipedia.org/wiki/IDN_homograph_attack)

~~~
cbr
Browsers only display unicode in domain names if the TLD has restrictions on
character sets that prevent homograph attacks.

See
[https://en.wikipedia.org/wiki/IDN_homograph_attack#Defending...](https://en.wikipedia.org/wiki/IDN_homograph_attack#Defending_against_the_attack)

------
FryHigh
This vulnerability was published (another article) over a year ago. I'm
surprised Chrome hasn't fixed it.

I think this means browsers will never fix this issue. I won't be using auto-
fill on untrusted webaites.

~~~
robert_tweed
This is a _very_ old exploit. The earliest references I could find were from
2010.

As other comments have noted, it isn't trivial to fix completely, so I believe
most browsers just haven't bothered at all, but have implemented some extra
protection for credit cards (and of course, CVV numbers are never stored in
the first place).

------
ericrav
I'd rather have only the field I selected autofilled and be given a secondary
option to have every field (or maybe choose which fields) in a form
autofilled. This bothers me in innocent, non-phishing forms too—especially
when the designers don't put labels on the fields and only use placeholders,
which I can no longer see after autofill.

~~~
kalleboo
Safari lets you choose which fields to fill in by clicking a "Customize"
option that pops up, but I doubt any normal user will bother looking that far.

------
thesumofall
Even as an experienced user it never crossed my mind that this might happen.
Good catch

------
SippinLean
LastPass prompts every time before autofilling your CC# into a form, so it
might avoid this issue in that case.

I do believe it would still fail exposing your basic info, such as in this
example, however.

~~~
inopinatus
Basic info is more critical than credit card numbers, at least in my country
(Australia) where the issuer or merchant would be liable for any subsequent
fraudulent transactions; at worst I would be inconvenienced a few days whilst
a new card & number was issued. Compared to outright identity theft, that's
minor.

------
joantune
Yes! I always had this itch whenever I filled out a field and had the other
fields pre filled by chrome. I actually thought that maybe there were
type="hidden" that could have been filled and sent (although as someone points
out those aren't but it isn't hard to hide an input with CSS). But the main
point is: whenever I did that I was usually OK with sending out the rest of
the information which either was outdated or I was consciously aware of it.

However, a lot of users might not have that conscience and might be giving out
information which they didn't want to. It would be great to shame websites
that were employing these shady techniques, but the solution must come from
Chrome. Chrome devs: by default only auto fill one field and on the drop down
have as the last option to do what you do now, so that you're sure that the
user has consciously chosen to auto fill all fields * have a little disclaimer
saying this possibility *. That way you get the best of both worlds with an
extra key down

~~~
joantune
PS: and/or like someone said that happens in Safari: name the fields that you
are about to autofill in the last choice to autofill everything

------
VarunAgw
If I remember correctly, it has been reported several times in the past and
Chrome doesn't care about it at all.

------
misterballs
Fillr autofill app requires users to approve every piece of data before
autofilling a form. Makes it easy to know when a site is trying something
shifty. Dashlane also lets you pick exactly what to fill. Native browser
autofills have been battling phishing exploits since early IE days.

------
robertelder
I really with that browsers didn't autocomplete ever. I've had instances where
they will happily auto-complete my entire credit card number. Usually, they'll
only memorize the first 4 digits, but sometimes they memorize the entire
thing.

~~~
kardos
You can disable it,

[https://support.mozilla.org/en-US/kb/control-whether-
firefox...](https://support.mozilla.org/en-US/kb/control-whether-firefox-
automatically-fills-forms#w_prevent-firefox-from-storing-form-entries)

[https://support.google.com/chrome/answer/142893?co=GENIE.Pla...](https://support.google.com/chrome/answer/142893?co=GENIE.Platform%3DDesktop&hl=en)

~~~
flanbiscuit
For me it pops up a little box under the input asking me to choose if I want
to autofill. I like this option because it doesn't autofill without permission
but my info is still saved and easily accessible.

------
throwaway2016a
Complete tangent but... why is this a NPM package? There is no actual
Javascript code in it.

~~~
robert_tweed
It's not actually published on npmjs.org. Author probably just ran npm init
out of force of habit. It's actually quite nice that they have their standard
metadata & licence where it's easy to find.

They should probably have private: true in there though, to stop it getting
published by mistake, since it isn't a component anyone could usefully import.

------
alpb
Just confirmed 1Password’s AutoFill for identity is also vulnerable to this on
Chrome.

------
TheRealPomax
Was this filed against Firefox, Chrome, and EDGE? (it seems like the kind of
PoC that you make to prove a point to browser vendors to get them to fix what
should obvioulsy be fixed... if the user can't see it, no matter how that's
been achieved, don't autofill that field.)

~~~
lucb1e
Firefox is not vulnerable.

Chrome was shown to be vulnerable like 7 years ago but nothing changed.

Closed source stuff like MSIE or Safari? No idea, ask a Windows os OS X user.

~~~
TheRealPomax
MS EDGE, unlike the now hopelessly outdated Internet Explorer, has an open
issue tracker. And as Safari is literally just webkit, which also has an open
issue tracker, there was no need to pretend to be better than Windows and OSX
users by pretending they're on their own.

------
avodonosov
And Chrome wants to ignore autocomplete=off
([https://news.ycombinator.com/item?id=11911116](https://news.ycombinator.com/item?id=11911116))

~~~
ycmbntrthrwaway
Why not? Anyone who wants to steal your information would not try to disable
autocomplete anyway.

~~~
avodonosov
You're right, following standard in regard to autocomplete=off will not
prevent this attack.

I think I remembered of that because the direction of though that autocomplete
should always be enabled appears as wrong to me. And this situation reminded
me of this direction of though in the past case.

------
shurcooL
This is the reason I never use the autofill beyond more than at typechecker. I
still explicitly write out what I want to place in the form, and the autofill
helps me avoid typos.

However, I always found it odd how something so prone to this kind of attack
could be deployed for all non-tech savvy browser users...

------
tcfunk
I actually ran across this a while ago, but didn't think to call it phishing.

I was trying to create a honeypot for a front-facing web form, but because of
the name I gave the honeypot field, some people's autofill information was
filling out that field without them knowing.

------
grandalf
This is a very clever hack. I've tried in the past to adjust my HTML to
disable autofill and it's not possible to prevent Chrome from aggressively
doing it.

~~~
hamhamed
It's disabled if you do autocomplete=off in the attributes

~~~
grandalf
Not in my tests, it continued to aggressively populate forms with
autocomplete="off" set.

~~~
talmand
That would be because that attribute is for a different feature of the
browser. The autofill that this method takes advantage of is more of an
extension beyond the standard browser feature.

Besides, someone using this for a phishing method wouldn't use that attribute
anyway.

------
matt_wulfeck
The only thing I can think of is a separate prompt, that would ask "Do you
want to autofill Name, Address, Phone..." etc.

~~~
vog
That popup is not needed. Firefox does this simply through auto-complete. The
user starts typing their email address, and voila, the browser completes it.

This is a nice example of a feature that is trivially accessible and yet
unobtrusive.

(Alternatively, you can press the down-arrow on the empty field, which will
open the auto-completion as well.)

~~~
takeda
Old Opera went one step further, where it would fill forms using a Wand
button. This approach also was used for logging in.

IMO, much better way, since it works well in situation where your passwords
are encrypted and browser is configured to forget master key after a while.

Firefox in that scenario will bug you about master password each time you go
to page where such password is stored.

------
noblethrasher
It even works in incognito mode (Chrome 55.0.2883.87 on Windows 8.1; tested
against my bank's website).

------
zacharycohn
Saw the title of this, didn't even open the link, just thought "oh... Crap."

------
ulber
Save forms data and especially save passwords have always seemed phishy to me.

------
digi_owl
Yet more blowback from trying to be "user friendly"...

------
robinduckett
Didn't work for me. Chrome 55.0.2883.87

------
shefaliprateek
are there are api products or chrome-plugins to check / verify if a certain
page is a phishing-attack ?

------
ComodoHacker
I get 405 after submit.

~~~
jaakl
me too, but just use the developer console to see the same (horrifying)
results as shown in the gif.

------
joshmn
Genius.

------
dexterdear
ok, let's try.

------
dexterdear
ok lets try..

------
hajderr
Great state of the web

~~~
talmand
It's not the web as it's working as it should, this is a browser problem.

