@Blakeley
I should have added more context, but my Firefox and Bitwarden both have my general info available for autofill. When I click on the “name” field, both offer to fill in everything.
Vic said:
@Blakeley
I should have added more context, but my Firefox and Bitwarden both have my general info available for autofill. When I click on the “name” field, both offer to fill in everything.
When you click the field, if you have autofill turned on.
But I can’t see it autofilling hidden fields automatically without at least asking which one to use—like which of 6 credit cards or 3 addresses to fill in?
@Blakeley
No, browsers can save a profile containing name, address, zip code, etc. This isn’t tied to a specific URL.
They also save data based on field names. Like “search” or “s” is common. You might see your query from a different site appear in the browser’s autocomplete.
The same applies to emails and addresses.
Yes, it’s certainly possible, but domain matching is a hurdle. If combined with something like script injection or DNS spoofing, it could pose a real risk. This is why Bitwarden has autofill turned off by default and warns you before enabling it.
Because it’s tied to the URL, an attack targeting autofill for browser or password managers would require modifying the page’s content.
This actually happens. For about a month, malicious code was injected into NewEgg’s checkout page, capturing entered credit card details and sending them to another server.
This is partly why autofill fields often have a unique font/size that doesn’t match the site. There was a security risk earlier where hidden autofill fields could be made, tricking users into triggering them. Now, with a fixed default font, this type of abuse is minimized. Of course, users can still be tricked into selecting one of the autofill entries, but at least they read the “confirmed” input.
Don’t you have to click the field first? At least that’s how it works with Google Password Manager.
This can get your name and address. A website can’t access your passwords for other sites; browsers only autofill your bank password when on your bank’s site.
However, if a legitimate website is poorly made and has XSS vulnerabilities, hackers might capture your password for that site.
People have been using this method for years. Is it still a thing? I thought it might have been resolved by now.
If you can create elements on the page, you can also read existing elements on that page.
They used to be able to do it without any user interaction!
Brave now includes a speed bump alert for credit card autofill.
You could try it out yourself to see what happens. If it doesn’t work, you’ll still learn something.
This is another reason why you shouldn’t store sensitive data in your browser! Use a proper password manager instead!