back to article Autocomplete a novel phishing hole for Chrome, Safari crims

Phishers have a new tool in their arsenal with the discovery that web browsers Chrome and Safari along with LastPass will autofill hidden registration form fields. Finnish web developer Viljami Kuosmanen discovered the flaws affecting the world's most popular browser, along with Apple's offering. The attack vector is manifest …

  1. Anonymous Coward
    Anonymous Coward

    lastpass-cli: a safe and open-source work-around

    Rather than embedding a blob in the browser that could have who knows what kinds of unexpected behaviour (like this little gem), there's an alternative: the command-line LastPass client.

    Pretty simple to use, and while not as "convenient", it can't spaff your private details into fields without you knowing because you have to manually copy and paste the detail in yourself.

    (Yes, there is a risk of something spying on your clipboard … in which case I'd argue you have bigger problems!)

    1. Anonymous Coward
      Anonymous Coward

      Re: lastpass-cli: a safe and open-source work-around

      And for the other 99.999% of the population, lets wait for a fix.

    2. big_D Silver badge

      Re: lastpass-cli: a safe and open-source work-around

      Or just switch off the Autofill in LastPass.

      1. joed

        Re: lastpass-cli: a safe and open-source work-around

        Or just use noscript like add-on. No idea why would someone run a browser without one.

        1. big_D Silver badge

          Re: lastpass-cli: a safe and open-source work-around

          Because there is no equivalent to NoScript on Chrome...There are several that block scripts, but they block wholesale - either the whole page can run scripts or not, no choice of allowing certain domains (E.g. main website), but blocking others (E.g. malware slinging ad domains, google-analytics etc.).

    3. Mathman

      Re: lastpass-cli: a safe and open-source work-around

      Or you can use the offline application Lastpass Pocket. I'm afraid you will have to live with a graphical interface though!

      https://lastpass.com/download

  2. phy445

    Is this story from the guardian?

    "...enetered, but was still suspetible."

    1. Rabster

      Re: Is this story from the guardian?

      It's a perfectly cromulent word.

  3. Cuddles Silver badge

    Eh

    If someone explicitly tells their browser to fill in all the visible fields on a phishing site, they would have done exactly the same if any hidden fields were visible anyway. By the time you've suckered someone in to visiting a fake site and giving it all their details, they're not suddenly going to baulk just because it asks for their date of birth as well.

    1. phuzz Silver badge

      Re: Eh

      Lastpass does at least ask you to confirm that you want to enter your credit card number into a page. There's no confirmation for address details though.

      Perhaps if there was the option for a dialogue box that displayed the info that was about to be autofilled?

    2. tr1ck5t3r

      Re: Eh

      Just use your favourite AV internet suite to do the form filling instead, and if that's not good enough, there's always the key loggers that will harvest anything you type.

  4. ratfox Silver badge

    Autofill does give my address, but not the fake CC number (which I just added for the test).

    Using Chrome. Could they have fixed it already?

    1. Anonymous South African Coward Silver badge

      Pity about the fake CC though.

      I'm now wondering - if it can be detected somehow that a phishing site is asking for your address and other information (to be autofilled in) can't a script be run that will fill all those fields in with a random selection of Captain Haddock's insults? Or something worse/better...

      1. phuzz Silver badge

        Simply giving them fake credit card numbers does the most damage, as when the crim tries to sell a whole trove of details, they'll get less money if many of them turn out to be invalid.

    2. Anonymous Coward
      Thumb Up

      Thanks! I'll give lastpass-cli a try. I fucking hate their browser extension, particularly the way it offers to save passwords for the wrong sites. The settings don't offer enough control.

      If you're going to use Lastpass autofill, the only information in it should be your usernames and passwords for low-risk sites. No personal info, no credit cards, nothing associated with banking (including email accounts).

      Always disable all browser autofill features. Browsers are shit.

  5. Alister Silver badge
    Facepalm

    Autocomplete a Novel

    I completely misinterpreted the headline, I thought it was a story about AI thriller writing...

  6. druck

    Ask the right question

    Auto-complete shouldn't just ask you yes or no, it should first tell you all the fields which it will complete. You should then be able to spot a list which is longer than the boxes on the page.

  7. Anonymous Coward
    Anonymous Coward

    just checked Firefox

    also vulnerable....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019