

Autofill abuse allows websites to grab sensitive userdata - ladino
http://board.protecus.de/files/autofill-abuse/demo.html
several browser, leak vcards and userdata through their autofill feature - i am happy about any support and comments!
======
babarock
This raises another issue I have been concerned with for a while. The WWW
model is broken, namely the use of Javascript. I'm not talking about the
language itself, it has been getting enough love lately as it is. Just the
idea of a webserver sending me code, obfuscated code at that [1], that my
browser executes by default; how did this idea prevail on the web, I wonder.
Am I the only one to see the horrendous security flaw? "Come to my website,
I'll distract you with my pretty pictures while my code roams freely on your
computer[2]".

[1] - I know obfuscation is minification meant for minimizing bandwith
consumption. It's still obfuscated code, despite best intent.

[2] - I understand that the code execution is sandboxed inside the web
browser, but really is it at all possible that, you know, these guys let the
occasional security flaw slip?

~~~
omgtehlion
Javascript has nothing to do with auto fill

~~~
pagekalisedown
You're correct, but the parent brings up a valid (if a bit off topic) point.

Eye candy is great, but Javascript has often been a vector for privacy issues.
Hence the popularity of Noscript and most browsers having an option to disable
Javascript.

------
joshuahedlund
Stopping autofill of hidden fields is easy and must be done.

To truly fix this bug, though, it would be nice to also stop autofill of
technically "visible" fields that are tiny or under another object or
otherwise obscured. But that might be orders of magnitude more difficult.

------
rmoriz
well, at least it requires explicit user action.

If I enter my real name somewhere, I'm probably fine with providing my phone
and post address, too. When in doubt I use a fake identity.

what about chrome's credit card autofill?

~~~
Jgrubb
I always wondered about this. Also, wouldn't it be really easy to have a form
pull autofilled CC info via ajax without even needing the user to hit submit?

~~~
alanbyrne
I was just wondering the same thing, using the onchange action.

~~~
ceejayoz
If I'm remembering correctly, Chrome's autofill doesn't fire change events for
the fields. Has annoyed me from a developer standpoint at times, but the
reason behind it is valid.

~~~
mattstreet
Though to grab this info with ajax it doesn't have to fire off an event when
the auto-complete changes it. It could just check every second itself if the
form changed and if so send off the info.

------
andrewjshults
Same problem happens with Lastpass (which at least requires you to click the
fill form button, rather than auto populating the fields).

------
ilmare
One workaround for this in chrome is to remove name/email values from address
auto-fill form, so it will only populate when you actually enter address. And
it's generally good idea to separate general browsing from
personal/finance/etc using user profiles.

------
k33n
Using Chrome 18.0.1025.151 and it doesn't seem to be susceptible to this.

~~~
wgx
Same build here (on OSX 10.7.3) and it does indeed pre-populate the hidden
fields for me.

------
ArekDymalski
Nice find - you've noticed important threat. However on my Chrome (despite
having autofill swithced on) your demo doesn't work.

~~~
ydant
It, sadly, does on my install of Chrome (18.0.1025.113 beta) - Linux 32 bit.

~~~
wglb
You probably want to upgrade to the .151 version, which fixes other
vulnerabilities as well.

~~~
ianterrell
I'm on that version (18.0.1025.151) on OS X 10.7.3 and the vulnerability was
present for me.

~~~
wglb
And after I wrote the above comment, I tested it and I am as well, on Linux.

The fun thing about this type of vulnerability is if you know the user's name,
you can build an invisible form component to get the browser to spill the
stored password.

