How Dashlane Protects You Against Autofill Attacks

The Web is a jungle!

Web technologies give developers the freedom to program websites and web applications in thousands of different ways. Standards from the W3C are very permissive, and mainstream programming languages for the web (HTML, CSS, JavaScript) let developers get away with pretty much any type of coding mistake, as long as the browser is able to interpret the code. It is like starting a car in second or third gear. It might work, but that’s not how the engine is built and meant to be used.

For a product like Dashlane, this creates two big challenges:

How can we as accurately as possible identify the structure of web pages, and which fields to autofill? This is a complex technical challenge. In fact, we have an entire team of developers devoted exclusively to improving the code in our browser extension that does that analysis.
It also creates a fantastic playground for hackers and malicious actors. Because the web is so heterogeneous and permissive, it makes it easier for hackers to find loopholes in systems.
Autofill is core to our user experience. It is used constantly by our customers, because it saves time and makes navigating the web much more convenient.

We invest a lot of effort in making our autofill as secure as possible to protect our customers. If we ever have to choose between convenience and security, we put security first.

Here are examples of potential issues and how we mitigate them.

First, the level of control and user interaction varies depending on the type of data requested by a specific field. For instance, we will always ask you to trigger the autofill by manually clicking on the web card when entering personal data. We also explicitly exclude autofill for payment fields and Social Security number.

Second, we only autofill on the same domain as the credential. This ensures that you only provide your Twitter credential to twitter.com, for instance. This also protects against phishing web sites. If you don’t see a Dashlane logo in the fields in the page, it may be because the page is not hosted by the domain it purports to be, and Dashlane is protecting you from making a mistake.

We also do not autofill hidden fields and fields that are positioned outside of the visible screen, since these are commonly used by phishing and other fraudulent sites. If you can’t see it with your eyes, we won’t fill it.

Some of our most recent improvements to the security of our autofill protect against the manipulation of Dashlane’s web popups. A hacker could emulate or alter the behavior of these popups to try to trick a user into providing their credentials.

As you can see, this is an ongoing journey. We are committed to doing our best to protect our customers and their data at all times, and we are constantly looking for ways to improve. After all, hackers are always looking for new ways to capture your information.

If you want to know more about Dashlane Security, our Security White Paper is available on our web site.

    Dashlane Team

    Dashlane is a mobile and desktop app that gives you a shortcut for everything you do online. Log in instantly, fly through forms, and breeze through checkouts on every device you own.

    Read More