Some web browsers have an autofill function that automatically inputs your data into any required fields without you having to do a thing. Its primary purpose is to avoid the tedious repetition of standard information. For instance, when you start typing your name or email address into one field, your postal address is automatically entered in another. This function can also extend to payment details.
This is undoubtedly useful and timesaving, especially if you do a lot of online shopping. But it’s recently been discovered that it can also be used by dodgy scam artists to steal your information. Don’t worry, though, it’s very simple to disable autofill and protect your details. In fact it can be done in a manner of minutes. Read on to find out more.
Autofill phishing attack
A Finnish web developer Viljami Kuosmanen made the disconcerting discovery that autofill will enter information even when those boxes are not visible on the page. So while you might think you’re innocently entering your name and email address using autofill, you could be sharing much more sensitive information such as your credit card details without realising.
The web browsers that have been identified as having an autofill phishing risk include Google Chrome, Apple Safari, Windows Internet Explorer and Opera. Currently Mozilla Firefox doesn’t have an autofill function, but it is developing one as we speak. Some extensions and plugins also have autofill settings. Password manager LastPass will auto-populate any stored login fields when you navigate to saved URLs. This could potentially be a security risk.
How to turn off your autofill
Chrome
Google Chrome actually has an autofill system that is switched on by default, but it’s very easy and quick to disable the feature. Simply click on the three dots to the right of the URL address bar. Open ‘Settings’ and at the bottom of the settings page click ‘Show advanced settings’. Under ‘Passwords and forms’ untick the box that says ‘Enable Autofill to fill out web forms in a single click’.
Safari
To stop autofill on Apple Safari, open the browser and click on ‘Safari’ in the program menu, just below the URL window. Select ‘Preferences’ in the drop-down menu and a new window will open. In this new window, click on the ‘Autofill’ tab. Then uncheck each box to turn off the autocomplete for each option.
Internet Explorer
For Microsoft Internet Explorer, click on ‘Tools’, which is just underneath the URL address bar. Then in the drop down menu select ‘Internet Options’. Another window will pop up with five tabs. Select the ‘Content’ tab and click on the ‘Settings’ button to the right of ‘AutoComplete’. Another window will open and you can delete your entire autofill history as well as deselect all aspects of the autofill feature.
Opera
If you use Opera to browse the web, click on the ‘Opera’ button below the URL window. Then select ‘Settings’ in the drop-down menu. Within ‘Settings’ click on ‘Privacy & security’ and within the ‘Autofill’ section uncheck the box for ‘Enable auto-filling of forms on webpages’.
LastPass
If you use LastPass, you can deactivate the autofill by right clicking the LastPass plugin icon in your top browser. In the menu select ‘Options’ and untick ‘Automatically Fill Login Information’.
So far we’re only aware of the autofill system being used with the browsers and plugins specified. But we would recommend checking the settings on all the browsers, extensions and plugins you use to see if the autofill function is enabled. If it is, turn it off within the settings menu.
LastPass has an option to request permission via a dialogue box whenever a form demands credit card information. I use that option so I’m not too worried about attacks where parts of the form are not visibly rendered.
Another option is to keep a single expired credit card registered in LastPass (label it like, “Mastercard expired”) and select that from the LastPass dropdown menu whenever any form wants just your personal information. Even if the thieves have managed to figure out a way steal your CC info using these forms, all they will get is an expired number.
At some point, people MUST take responsibility for the security of their own financial information (if that is their interest). There are many security tools, but the people themselves have to employ them… otherwise they just sit out in the rain and gather rust.
Firefox does have an auto fill function, albeit as a plug in. Need to make enquiries ….
This is somewhat confusing since apps like lastpassare specifically designed to make it easier to fill forma AND be secure. Are you therefore implying that the money I have spent on it of a waste of time? Or is there a safe way to use it? In addition what about the google smart lock managing passwords, is that safe?
Hi Will,
I wouldn’t say the money spent on Last Pass is a waste as it’s still a very secure and useful way to store your passwords and safeguard your data. By all means still use it, but we would advise being careful with the autofill function and potentially think about turning off the autofill function in the tool or at least removing your credit and debit card details.
Google Smart Lock doesn’t store information like credit card numbers, so there’s no risk of the autofill function sharing your information with this tool. So if you use Smart Lock to quickly access your devices and websites, by all means continue to do so as it is a secure app to store passwords.
Thanks
Alison (Which? tech expert)
I’m also a LastPass user, and I am thoroughly confused over these comments, I would like Which? to clarify and provide more detail about exactly what the vulnerability is.
I think (but am not 100% certain) that what this means is that IF you have navigated to a fake website via a phishing link and used LP to enter your login details, then that website may also be capturing details such as credit card info via hidden fields. So if you don’t click on links in phishing emails, or if you don’t store payment details in LP, you should be OK … is that right ? Or does this vulnerability mean that using LP autofill for one site might expose all the other login credentials for other sites stored in LP ?
FWIW, I challenged Last Pass about this. Their response: “I thought of the article as a way of imposing negativity about our product …You are asking us if the report in the article is correct, and that, if it would be better for you to turn off the autofill function of your Lastpass? Naturally, we’ll suggest that the article is in no way true, and it is not necessary to turn off your autofill feature.”.
So I am completely confused. Which? are now advising about issues with password managers that they have previously recommended (https://blogs.which.co.uk/technology/app-review/password-managers-do-they-keep-your-online-passwords-safe/). What to believe ?
I now have a slightly more helpful response from Last Pass:
“Base on the information presented in the article you shared, we understand your cause for concern. … I would also like to mention that LastPass has protective measures in place to prevent your information from being stolen. Such measures would include notifying you that there are hidden fields requesting that information is being filled. When one receives this alert, it is up to that user to decide if they would like to proceed if they trust the site or not. So to address the question, we have measures in place to protect your information from being filled into hidden fields but, if you prefer to not employ the autofill feature, you are free to have it disabled.”
Based on that response, I’m afraid the Which? blog looks like crying wolf unnecessarily.
Hi Colin,
This article is to publicise the safety issues around auto fill, but it’s not an attack on Last Pass. A vulnerability has been identified which may compromise your data, as it’s been discovered that auto fill sends information to fill in boxes even if those boxes aren’t on the page. So if you accidentally find yourself on a dodgy site pretending it’s another ‘real’ site, you could find you’re sharing your sensitive banking information even if you don’t realise it.
We still recommend Last Pass as a really good password manager and way to store your data. But it’s advisable to turn off the auto fill function on any browsers or applications you use, or to at least remove your bank details. I hope that helps!
Thanks
Alison