Autofill on Chrome and Safari Can Give Hackers Access to Your Credit Card Info

By Sidney Fussell on at

With a simple exploit, browsers like Chrome and Safari can be tricked into handing over your credit card information to hackers. And you wouldn’t even realise it.

Viljami Kuosmanen is a hacker with Futurice and took to Github and Twitter to point out a simple exploit on malicious websites that can rip you off. As he explains, browsers like Chrome and Safari are set to autofill information into text boxes with data like your phone number, address, credit card number, etc. Typically, browsers will determine the type of information the site is asking for, then keep the rest. But, Kuosmanen notes, hackers can obscure certain text boxes—meaning users wouldn’t they’ve been autofilled. And since the malicious websites can be designed to look like pretty much anything, the danger is real.

Here’s what the exploit looks like:

So even if you only input your information the text boxes you saw, Chrome could have autofilled hidden boxes with more sensitive material. And because the site would have to be laid out specifically to hide boxes, you wouldn’t necessarily notice that the information was being sent. That’s not good if the data includes credit card information.

In the replies to the original tweet, other users suggested simple fixes to the affected browsers, like notifying users what information they’ve filled in before submitting or simply restricting autofill to only visible boxes. For now, the easiest way to avoid the exploit is simply to disable your autofill feature.

Disabling autofill on Chrome is accessed first by clicking Preferences and then Show Advanced Settings. You can also go to chrome://settings/. From there, you just uncheck the box:

Disabling autofill on Safari is accessed first via Preferences and then by going to the ‘AutoFill’ tab and unchecking the boxes.

Firefox requires manual autofill for text boxes, meaning you have to at least hover over a text box before it’s filled in. That means the exploit won’t work as well in the browser, since you can’t fill in the boxes you can’t see.

We reached out to Apple and Google for comment on Kuosmanen’s exploit and how to avoid it. We’ll update this post if we hear back. [The Guardian]