Autofill On Chrome And Safari Can Give Hackers Access To Your Credit Card Info

Discussion in '[H]ard|OCP Front Page News' started by Megalith, Jan 10, 2017.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    8,811
    Joined:
    Aug 20, 2006
    Autofill can be very convenient, but here’s a reason to be cautious about it. People have already chimed in with fixes so obvious (e.g., restricting autofill only to visible fields) that it makes you wonder why browsers don’t already have such safeguards.

    …browsers like Chrome and Safari are set to autofill information into text boxes with data like your phone number, address, credit card number, etc. Typically, browsers will determine the type of information the site is asking for, then keep the rest. But, Kuosmanen notes, hackers can obscure certain text boxes—meaning users wouldn’t they’ve been autofilled. And since the malicious websites can be designed to look like pretty much anything, the danger is real.
     
  2. Grahamkracka

    Grahamkracka Gawd

    Messages:
    1,018
    Joined:
    Feb 4, 2008
    File this under "No Shit Sherlock"
     
  3. oROEchimaru

    oROEchimaru 2[H]4U

    Messages:
    4,080
    Joined:
    Jun 1, 2004
    When I did security what stinks on public computers (no signon) is Chrome about summer 2014 or 2015 changed some of the features to ignore coder header tags (HTML tags, asp tags etc) that :
    a. blocked sites from cacheing creds as a whole
    b. individual overrides to specific fields
    c. many common meta tag and html tag tricks

    Chrome basically started ignoring any security tags of "please dont cache/store this".
     
    viscountalpha likes this.
  4. Exavior

    Exavior [H]ardness Supreme

    Messages:
    8,140
    Joined:
    Dec 13, 2005
    How else do you expect Google to get and store your credit card number?