You take a lot of steps to keep your private information safe online — we hope.
Perhaps you use different logins and passwords for all your accounts. You search for “https” to make sure a site is secure. You type carefully so you don’t end up on an impersonation website, and you never open strange emails, click on uncertain links or download documents or images from questionable senders.
But if you use Google Chrome as your internet browser, you might reveal your private information without even knowing it.
Even your credit card information.
Bamboozled learned of this security flaw from Viljami Kuosmanen, a 23-year-old computer tech guy based in Finland, who reported his findings on Twitter.
The problem is with Chrome’s auto-fill feature. The feature automatically adds your information — such as your name or address –to online forms using information you’ve previously filled out on other online forms.
It’s a convenience so users won’t have to type and retype the same information over and over again.
But with Chrome, there’s behind-the-scenes coding that shares more auto-fill info than some online forms request, Kuosmanen found.
“The issue I found with Chrome’s implementation of this feature is that it will fill fields hidden from view of the user, without giving any indication of what information has been shared with the website,” Kuosmanen said in an email interview.
So when you use auto-fill with a Chrome browser, it will fill in all of your stored information — even information that’s not asked for by the website via the boxes, or fields, shown on the form.
What’s the big deal?
“Consumers might get targeted by malicious websites or emails using this attack vector to reveal sensitive information like the full contact information, credit card details or passwords belonging to the user,” Kuosmanen said.
He’s most worried about identity theft, something Mitch Feather of Creative Associates, a Madison-based cybersecurity and infrastructure consulting firm, said is a real problem.
“If the consumer does not follow sound password practices, then the actor may be well positioned to access any number of the consumer’s online accounts,” Feather said.
Here’s how it works.
Say you’ve filled out a form on a retail website and you included your credit card information. Later that day, you sign up for a free newsletter or for coupons from a different site. You start to fill out the form, but if your auto-fill is active, the boxes are automatically completed for you. There is no box to complete for your credit card information, so you think you don’t have any reason to believe that information is being transmitted to the website.
But if you use Chrome, it will share all of your stored information, including your credit card number, your expiration date and your CVV — that three digit code on the back of your credit card.
Kuosmanen created this video to show how it works.
As you can see, after only inputting a name and email address, the auto-fill also added a phone number, address and company name to the code. If the user’s auto-fill also had credit card information stored, that would be been added to the code, too.
Try it for yourself. Kuosmanen also created a web page so you can see what information might be saved in your auto-fill, and therefore transmitted when you use auto-fill for an online form on a Chrome browser.
We did it, and our credit card information was stored there. That was a surprise.
It’s bad enough to imagine a legitimate company getting unneeded personal information about you given the number of companies that have been the victim of hacks or data breaches.
What’s worse is that if you fall prey to a fake website created by a scammer, and you complete a form — perhaps to make a purchase, or to fill out a survey, or for just about any reason — the bad guys will have your name, address, phone, password and all the credit card information they need for a shopping spree or to steal your identity and open new accounts in your name.
Kuosmanen said Apple’s Safari browser has a similar problem, but it’s not as glaring as Chrome’s.
“Safari users get a more detailed prompt about the information to be auto-filled which the user needs to confirm, which is slightly better than Chrome’s simplified prompt, that doesn’t tell the user anything about the information they’re about to share,” he said.
He said the Mozilla Firefox browser has better protections.
“In Firefox, you have to right click an input field and then select an identity to use. So a Firefox user auto-fills each field,” Kuosmanen said.
We reached out to Google and Apple to ask about these security flaws.
A Google spokesman said the company is aware of the Chrome issue and working to address it.
Apple said it would have a statement about Safari, but it didn’t respond in time for publication.
HOW TO PROTECT YOURSELF
To protect yourself, choose not to use auto-fill. You can reject it as you start to complete online forms.
Or, disable auto-fill altogether.
You can do that by going to “settings,” selecting “show advanced settings,” and unchecking the auto-fill option.
To see what auto-fill information lives in your version of Chrome, click “manage autofill settings” and you can remove any information you don’t want shared.
To shut it off for Safari, choose “Safari,” then “preferences,” then click “AutoFill.” You can disable it — it’s automatically enabled unless you deselect it. And you can also click “Edit” to see what information is stored there. You can then delete what you don’t want available.
“In general it’s good to be aware of the possibility of web forms having hidden fields, which may or may not be filled and sent, even without you clicking on anything on the web page,” Kuosmanen said. “Just don’t share any personal details, especially using auto-fill profiles on sites you don’t completely trust.”
Feather, the Madison cybersecurity expert, said disabling all auto-fill functions on all browsers is the safest action. You should disable the storage of passwords, too.
“But don’t just rely on your browser settings,” Feather said. Think before you click.”
Have you been Bamboozled? Reach Karin Price Mueller at Bamboozled@NJAdvanceMedia.com. Follow her on Twitter @KPMueller. Find Bamboozled on Facebook. Mueller is also the founder of NJMoneyHelp.com. Stay informed and sign up for NJMoneyHelp.com’s weekly e-newsletter.