LastPass Extension can be tricked into leaking private information using hidden text boxes
Browser autofill used to steal personal details in new phishing attack
Your browser or password manager’s autofill might be accidentally giving away your info to unscrupulous phishers using text boxes that are hidden on sites.
Finnish web developer and hacker Viljami Kuosmanen found that several web browsers, including Google’s Chrome, Apple’s Safari and Opera, along with a few plugins and utilities like LastPass, may be deceived into giving away a user’s personal advice through their profile-established autofill systems.
The attack that is phishing is brutally straightforward.
This means that when a user inputs seemingly innocent, fundamental information right into a site, the autofill system may be giving away much more sensitive information in the same time if the user affirms the autofill. Default chrome ’s autofill system, which can be switched on by default, stores info on phone numbers, email addresses, mailing addresses, organisations, credit card info and many other bits and pieces.
Kuosmanen set up a site to present the issue, showing a text box to get a user’s name and email, with text boxes for address and phone number concealed from view, auto filled by Chrome.
A complete system that is autofill is now in development for Firefox, nevertheless.
The phishing attack still relies on users being tricked into entering at least some info into an internet form, but unsuspecting users could be deceived into entering more than they bargained for comparatively easily.
Users can shield themselves from this type of phishing attack by disabling the autofill system in extension settings or their browser.