Why Users Should Never Auto-Fill Forms: Browser Exploit Overview

November 29, 2018
Steve Fox

Life is hectic. As a result, we all look for ways to eliminate inconvenience, ease our stress levels, and save precious time. However, some comforts might come at too high of a price. Unfortunately, the auto-fill function on your browser might be a more of a risky convenience than most people realize. For years, security insiders have argued the dangers of the auto-fill function: the handy tool that automatically provides your name, address, phone number, and such for web page forms. It turns out, they are right.


Princeton University’s Center for Information Technology Policy has published research showing how attackers are using code to exploit browser login managers (the auto-fill feature). They tested this vulnerability on Chrome, Firefox, Internet Explorer, Edge, and Safari. Here’s how it works: a user fills a login form on a web page, then sets the browser login manager to save that login information. When the browser next encounters a form, a third-party script adds invisible fields to an innocent-looking web form. The login manager automatically fills in all the fields, visible or not, gaining the users username, email address, organization name, phone number, street address, and more. The third-party tracking script then sends all of this data to third-party servers to be exploited by attackers.


Businesses now need to prevent employees from inadvertently sharing a range of sensitive information that could put the organization at risk. You can certainly install ad-blockers and disable the auto-fill feature on browsers. However, doing so can result in users choosing less complex and easier to remember (less secure) passwords. This side effect highlights perhaps the most important takeaway from this finding—your company is only as safe as your staff’s security awareness. Ongoing, company-wide cybersecurity awareness training is the only way to ensure your staff is on top of new (or newly proven) vulnerabilities.

join our email list