Finnish web developer Viljami Kuosmanen recently discovered a vulnerability affecting several web browsers and browser plugins. According to his findings, autofill systems in Chrome, Opera, and password managers with autofill features can be tricked into filling out your personal information–like your name, address, or phone number–into hidden text boxes on the web page. Essentially, that means that an autofill system could give away more information than you initially thought.
Fortunately, after further investigation, Dashlane’s Security team verified that our password manager is not directly impacted by this specific attack. I’ll explain how we protect your data from potential autofill phishing scams, but for those with non-technical backgrounds, here’s a quick explanation of how browser autofill works.
How does autofill work?
According to StackOverflow user kmote, Chrome and other web browsers with autofill capabilities “primarily rely on contextual clues to determine the type of data that should be filled into form elements. Examples of such contextual clues include the name of an input element, the text surrounding the element, and any placeholder text.”
How do autofill phishing attacks work?
Essentially, if you visit a phishing website and autofill your information into text fields, like your name and email address, that website could have hidden input fields that solicit more information from your autofill system, like your address, the name of your employer, and telephone number.
However, this works differently in different browsers. For instance, Safari will tell you all the data that is being entered into a form, even if you can’t see the form yourself. Also, in Firefox, you would have to right click on the import field and select a saved identity, allowing you autofill each field individually.
How does Dashlane protect me from this attack?
Our security architecture already has some built-in protections to make sure you’re not vulnerable to this kind of attack.
- Dashlane will only auto-fill if the URL of the website is consistent with the URL saved in Dashlane.
- By default, Dashlane requires users to re-enter their Master Password before auto-filling your payment information on any web page.
- Dashlane only works on verified web browsers for your security.
In addition to Dashlane’s built-on protections, the best step you can take to avoid becoming a victim of this scam is learning how to identify “phishy” websites from the get-go. Here’s how:
- Check the site’s URL. If there are any misspellings, unusual special words or characters, or has an unfamiliar subdomain, there’s a good chance it could be an illegitimate site. If you have any doubts about the website’s legitimacy, leave the website immediately.
- Look for https:// in the address bar. This will give you a clear sign if the site is secured.
- Search for the green padlock or key on the left side of the address bar. If you see a key or padlock icon, that means that the website has a valid, trusted server certificate, a secure TLS connection, and that all the resources on the page are served securely.