Auto-phishing? Autocomplete security risks
By Tom, on 17 February 2017
Today I’m going to look at a specific security flaw and how to think about this from an information risk perspective.
You may have seen articles about malicious websites exploiting browser autocomplete. Basically, criminals create a malicious page that looks legitimate, and include a couple of fields for text entry, say, name and email address. They also create other fields that capture more, possibly sensitive information (e.g. address, phone number, password, etc.), and then hide these fields so that they’re not visible to website visitors. You visit the page, autocomplete fills all the boxes, including the ones that you can’t see, and you unwittingly submit more information that you intended. Without realising it you can accidentally give away your password.
Obviously this is no good. We want to browse safely and conveniently, and autocomplete is just an automatic component of most browsers now.
Let’s express this in terms of a risk:
“Due to my accounts being compromised by malicious websites harvesting my password via hidden autocomplete fields, my confidential information is at risk of unauthorised access.”
To manage the risk, we need to select a management action. These fall into four categories:
- Treat: Treating a risk means taking an action to control the risk, reducing the chances that it will occur. This means making the attack harder to achieve, for example by disabling autocomplete.
- Transfer: Transferring means arranging for a third party to be impacted if the risk occurs. Taking out insurance is an example of transferring risk. Transferring is probably not an option in this case.
- Tolerate: Tolerating risk is self explanatory; it is accepting it as “the price of doing business”. In this case it would mean not adjusting our behaviour at all.
- Terminate: Terminating a risk means avoiding the activity that creates the risk in the first place. In this case this could mean avoiding the use of any of the accounts we are discussing.
The most suitable action here is to treat the risk. A simple fix would be to disable the autocomplete function in your browser. In conjunction with something like LastPass (see a previous post), you can securely store your information in such a way that you don’t need to use autocomplete to retain useful login information.
Note: It is possible to use LastPass to autocomplete forms too. This may also be prone to the vulnerability discussed here. You can however disable autocomplete here too and simply reference your stored information. This again helps to treat the risk.