Tuesday, February 28, 2017

Why You Should Disable Autofill on Your Browsers

Completing an online order. Filling out another registration form. These are just some of the online tasks we're happy to have Autofill complete the information for us. Recently, however, web developer Viljami Kuosmanen discovered a vulnerability that can expose your stored data to a malicious person via phishing. In this attack, a phishing email would be sent asking the target to complete a form on a web page. Once the target fills out one of the (visible) fields, the browser then auto populates multiple invisible fields on the page (drawing from the stored Autofill data).

picture1

Above is an example of the hack in action, and you can also test it out yourself on a test page Kuosmanen setup. With this it's possible to give an attacker access to your address, credit card information, and other sensitive data. According to Forbes, password keeper Last Pass is also susceptible to this vulnerability, which could cause you to give up your passwords unknowingly. 


Prevention against the attack

One of the most reliable is turning Autofill off on your browser. It is easy to do, and if you're using Chrome you can just follow these steps:
  • Open Chrome and click on the settings button in the upper right. 
       screen-shot-2017-01-26-at-9-41-25-am
  • At the bottom, click Show advanced settings.
  • Under "Passwords and forms", uncheck "Enable Autofill to fill out web forms in a single click".
  • Click on Manage Autofill Settings, and delete any data that has already been stored.

If you're looking to protect your enterprise environment from this, you'll need to educate your users on not clicking and reporting suspicious emails. Phishing emails use many varied tactics, and exposing employees to these will help them to prevent attacks. Phishing as a Service (PHaaS) can offer continual testing and training to employees, helping them to spot phishing emails and know how to interact with them safely. This is a proven measure where corporations have seen reduced click ratios, increased reporting, and significant drops in malware on their networks.

Remember, if an email is asking you to visit a website or submit information, you should always manually navigate to a known trusted website (like your bank) to log in and enter information. Don't ever click on suspicious email links, download attachments from unknown senders, and be wary if you continue to utilize the Autofill function on your browsers.

4 comments:

  1. of course like your website but you need to test the spelling on quite a few of your posts. Many of them are rife with spelling issues and I to find it very troublesome to inform the truth however I'll definitely come again again.

    ReplyDelete
  2. Pretty great post. I just stumbled upon your weblog and wanted to mention that I've really loved surfing around your blog posts. After all I'll be subscribing in your feed and I'm hoping you write once more soon!

    ReplyDelete
  3. Taito Iron Tacor - titanium tubing
    Iron Tacor is a premium does titanium set off metal detectors crafted titanium earrings sensitive ears aluminum titanium trim reviews oxide. This unique Iron Tacor titanium rod stainless steel handle is a snap closure. This handle is 1" titanium curling wand long and $1.99 · ‎In stock

    ReplyDelete