OH NOES. IT TURNS OUT THAT those simple, and often quite handy times that you used an autofill system to fill out an online form, were bad times. Times when you were putting yourself at risk of significant phishing attack and monetary losses.
This was revealed by a security researcher on GitHub and picked up by the gang at Bleeping Computer. The researcher offers proof and has posted up a short two-box form on Github to illustrate the problem.
The box asks for just a name and an email address. However, the page and the researcher knows that there are six other boxes on there and that they will be able to automatically suck up the information without user interaction.
This is Finnish web developer Viljami Kuosmanen's discovery, and he said that he has been aware of it for some time. This means that he probably fills in all forms manually and looks on critically when anyone else lets their laptop do the work for them. He knows something that we don't, you see. Or, at least, he used to know something.
"I had known about this issue for a long time. A similar thing (honeypots) is used to trap bots in forms to avoid spam. This is the same idea, just trap real browser users instead of bots," he told Bleeping Computer.
"The idea for the demo came after I was annoyed about Chrome autofilling wrong fields on an ecommerce site. I then went on to see which details Chrome had saved for autofill about me and was surprised about how much information is available."
How much is too much, of course. Bleeping Computer says that browsers that support autofill include Safari, Opera, and Chrome, but that others including Mozilla Firefox and Microsoft Edge are also leaning in that direction.
You do not have to use autofill and you can turn it off. µ
It's like someone just gave you a millionaire's shortbread, and added extra caramel
A promise that should never have been needed.
Suddenly your security device is the most nickable thing in the house