The use of multiple usernames and passwords across different sites has become common online practice, and therefore people increasingly turn to password managers and browser autofill, which saves personal information and automatically pastes it to prevent repetitive typing, in order to log in.
The discovered flaw affects the autofill function on browsers including Googles Chrome and Apples Safari. It also affects some plugins and add-ons including the LastPass password manager , according to The Telegraph.
Viljami Kuosmanen, a security researcher, has discovered that autofill will also paste information into hidden text boxes, allowing scammers to steal information without users knowing. This could include name, personally identifying information, email address, phone number and addresses.
To show how it works, Kuosmanen created a website that asks for a users name and email address but contains hidden boxes that are automatically filled with address, organisation and phone number. The attack only works if users select one of the autofill suggestions, meaning the best method of protection is to avoid clicking on these until a fix has been released. Disabling autofill is also a possibility, as is managing security settings. For example, Chrome users can deselect Enable Autofill to fill out web forms in a single click in Settings -> Advanced.
It doesnt affect Mozillas Firefox browser as this autofills each field individually, the online publication added.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now