We’re often told that using Autofill or password security managers such as LastPass are the best way to keep your online passwords and account information safe from hackers.
However, a newly discovered flaw found in popular web browsers such as Chrome, Opera and Safari, as well as in the plugins of numerous password managers has revealed that the Autofill feature could inadvertently be giving away personal details, passwords and credit card information to cyber criminals.
The flaw was discovered by Finish web developer Viljami Kuosmanen, who found that the autofill on Google Chrome, Opera and Apple’s Safari web browser could be tricked into giving away your data.
Autofill is designed to eliminate the repetition of inputting passwords, as well as the need to remember different passwords for our increasing amount of online accounts.
When you input information onto a website, such as when adding your name or address to an online form, Autofill suggests information that can be inputted into a specific field. Once you select one of its suggestions it adds it to the field and also remembers your selection for future use.
Kuosmanen discovered that when you add data to an online form or text box using Autofill, the system also adds other profile information into hidden text boxes which may not be visible to the regular user.
This means that when you input seemingly basic information into a site, such as your name or email, Autofill could still be sending other more personal data such as credit card details, date of birth or passwords it already has stored in its system.
Kuosmanen released a video showing how the scam may be used by hackers.
— Viljami Kuosmanen ⭐ (@anttiviljami) January 4, 2017
According to Kuosmanen, the attack only works when you select a suggestion from Autofill, so it may be advisable for users concerned about online security to stop using the system until a fix is released.
You can turn off Autofill by visiting your web browser settings.
Kuosmanen claimed the same flaw affects password managers such as LastPass.
So far Chrome, Opera and Safari browsers are affected, while Firefox remains unaffected as Mozilla’s web browser is unaffected, the company said.