Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Browser Autofill Leaking Data

Our computers, and IT in general, are fraught with all sorts of security issues. Every day, I read about something or other that will give rise to concerns. Most of the time, they don’t demand immediate action from casual computer users. But once a while, there’s something that perhaps everyone should check out and take action if needed.

Reported in The Guardian last week, your browser could be inadvertently giving away your personal information to phishing websites. This can happen through the browser’s autofill feature, automatically populating form fields on an unscrupulous website. The form fields may be hidden on the webpage, so you might not realise you were giving away extraneous information even when you’re carefully inspecting what you’re submitting.

If you’re unfamiliar, autofill basically helps you enter data in webpage forms by making clever guesses at what the forms are asking for. For example, the browser might have learnt about your “shipping address” after you provide the information at one shopping website. Then, when you go over to another website, on a webpage with a form that the browser guesses is asking for a shipping address, the field is autocompleted for you.

It’s nice and convenient. Except that, you know, maybe this was a webpage asking for your email address so as to notify you about, I don’t know, something that you want to know about. Without your knowledge, the webpage could be surreptitiously mislead your browser into providing your date of birth, your mailing address, your mobile phone numbers, etc. You might not mind giving this information to a website that had a legitimate reason to need them, but perhaps not when you thought you were simply giving an email address, say, to a marketing website to notify you about the launch of a product.

Right now, it appears that Chrome, Safari, and Opera are affected by the bug, though not Firefox. Firefox won’t autofill fields that are not clickable by the user.

However, don’t think that Firefox is okay, and that if the other browsers adopt the Firefox way of skipping autofill… that’s not good enough. Even if fields are clickable and visible, what if you miss them, either because the webpage design makes them inconspicuous, or simply because there were too many fields and you didn’t realise check each one of them?

The best solution, I think, is to simply disable autofill. In Chrome, go to Settings, scroll down to the bottom and click on Show advanced settings, then look under Passwords and forms, and uncheck the auto-fill setting.

Another good advice I have is to make sure your most important web activities are performed in a separate browser profile. In Chrome, you can click on People in the menu bar, then Add person... to create a browser profile. It would be even better to use another computer, or another browser on the same computer, but this would be a reasonably good compromise. Make sure you don’t contaminate this browser profile. Use this, for example, just for your Internet banking.

As the bad fellas get cleverer and better able to outsmart you, you need to stay ahead so that you can outsmart them. Disabling autofill is the one simple step you can do today.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

View Comment Policy