The Latest in IT Security

Another day, another demo exploit – this time, Chrome is the tattletale (autofill vulnerabilities)

Another day, another demo exploit – this time, Chrome is the tattletale (autofill vulnerabilities)


Unfortunately, often in the digital environment what makes things faster and easier is riddled with cyber security risks. This time, it is about the autofill feature. Finish specialist Viljami Kuosmanen illustrated how easy it is for third parties to get private user data via autofill storage. The culprit software is the Chrome browser, whose autofill system is “centralized”.

How does this autofill vulnerability work?

It is all about the unaware user, delivering his/her information to the website which requires a username and password. They start typing their username, then the browser provides the rest of the account data via autofill. From email to address, all the details appear in the Network Activity section of the website. It’s all there in Chrome – raw, un-encrypted form data.

Thus is turns out that the autocomplete feature in browsers can be tricky in what cyber security is concerned. Not all browsers work the same. The Finish researcher points out that although Safari fills in all form data, too, the details themselves are not visible for the person which initiated the login. Firefox requests users to “right click an input field and then select an identity to use. So a Firefox user autofills each field”, according to Viljami Kuosmanen. Opera and various utilities such as LastPass apparently also give up sensitive information stored for autofill purposes.

The attack defines as an extremely simple phishing attack. All the attacker needs is to make the user fill out online forms. With a username that has been previously used and that links to other accounts. Triggering email, address, organization or even credit card information details.

The autofill vulnerability – as discussed before

The risks coming from account data stored on websites or simply in the browser’s autofill “pocket” have been approached before. True, in a different form than the amazingly simple demo exploit coming from Kuosmanen.

In early 2016, online sources warned mobile owners about their habit of storing credit card details on ecommerce sites and about the risks of employing autofill. For the sake of convenience, mobile users simply renounced to type in their details every time they needed to. Instead, the fast and comfortable autofill allowed them to save time and mistypes annoyances by just a couple of gestures.

Nevertheless, this procedure turns out to be a potential trap. Much bigger annoyances can appear down the road if greedy cyber-criminals manage to get their hands on the devices. Now, thanks to Kuosmanen’s discovery, we know that autofill data theft is possible without accessing personal devices, too. Just by filling in an innocent-looking form from their Chrome browser, users can put their sensitive data into malicious hands.

We have a warning – what do we do with it?

It does not come as a surprise that advanced technology makes people extremely lazy. Our desire for comfort increases along with the rate of access to various digital tools. The marketing contributes to this tendency. Messages that pinpoint the fact that technology makes our lives easier create the expectancy of seamless experiences. The owners of devices most likely forget to ask themselves whether progressive features are safe or not. At a personal level, they feel like they need not bother with cyber-security details.

Unfortunately for all who think this way, there are no absolute guarantees in what cyber protection is concerned, Although the armies of specialists continuously try to stay on top of the cyber warfare battle, they face armies of cyber intruders. It’s a never-ending competition in which users often fall prey to cyber theft.

Keeping cyber threats at bay begins at the individual level. As we have said it and we will probably say it over and over again, as an account owner, or, at a business level, as an account manager, learn to anticipate what the cyber enemy could think. Do not prompt unnecessary information to whomever puts a digital form under your eyes. And, with a particular demo in this autofill case, never let comfort get the better of you in what cyber prevention is concerned.

Fighting cyber crime needs community spirit

The online environment is a community, regardless of whether it was meant to be like this or not. Due to all the intricate connections and the way data travels, what happens in one spot can soon spread epidemically.

This is why in cyber security it is important to secure all endpoints. Apply this to Internet browsing and all users become endpoints. Instead of being vulnerabilities, we can increase our awareness and become strongholds.

By asking ourselves the right questions before submitting valuable online data here and there and by taking action whenever we notice anomalies we can strengthen cyber security in the online environment. Of course, this means some actions will take longer and we would have to research the correct answers to those right questions. Nevertheless, it is well worth it.

In what action is concerned, the most accessible form consists of reporting important observations to those who can investigate. Don’t just go by – notify the website owners, the specialized department, the authorities. It takes a few minutes, but it may help in securing your data, as well as other people’s data by stopping malicious digital actions.

Leave a reply





Latest Comments

Social Networks