Browser Autofill Phishing

├── .gitattributes ├── LICENSE.md ├── autofill-demo.gif ├── index.html ├── package.json └── readme.md /.gitattributes: -------------------------------------------------------------------------------- 1 | *.coffee linguist-language=JavaScript 2 | *.ts linguist-language=JavaScript 3 | *.html linguist-language=JavaScript 4 | *.json linguist-language=JavaScript 5 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright (c) 2017 @anttiviljami 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining 4 | a copy of this software and associated documentation files (the 5 | "Software"), to deal in the Software without restriction, including 6 | without limitation the rights to use, copy, modify, merge, publish, 7 | distribute, sublicense, and/or sell copies of the Software, and to 8 | permit persons to whom the Software is furnished to do so, subject to 9 | the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be included 12 | in all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 17 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 18 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 19 | TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 20 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | 22 | -------------------------------------------------------------------------------- /autofill-demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anttiviljami/browser-autofill-phishing/78ac0e4d787c00dd56ceb772e91e6cc4184bb440/autofill-demo.gif -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Browser Autofill Phishing 5 | 6 | 7 |

8 |

9 | Name
10 | 11 |

12 |

13 | Email
14 | 15 |

16 |

17 | 18 |

19 |

20 | 21 |

22 |

23 | 24 |

25 |

26 | 27 |

28 |

29 | 30 |

31 |

32 | 33 |

34 |

35 | 36 |

37 |

38 | 39 |

40 |

41 | 42 | 43 | 44 |

45 |

46 | 47 |

48 |

49 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "browser-autofill-phishing", 3 | "private": true, 4 | "description": "A simple demo of phishing by abusing the browser autofill feature", 5 | "main": "readme.md", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "git+https://github.com/anttiviljami/browser-autofill-phishing.git" 12 | }, 13 | "author": "Viljami Kuosmanen", 14 | "license": "MIT", 15 | "bugs": { 16 | "url": "https://github.com/anttiviljami/browser-autofill-phishing/issues" 17 | }, 18 | "homepage": "https://github.com/anttiviljami/browser-autofill-phishing#readme" 19 | } 20 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Browser Autofill Phishing 🐟 2 | [![GitHub license](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/anttiviljami/browser-autofill-phishing/master/LICENSE.md) 3 | [![Awesome Humane Tech](https://raw.githubusercontent.com/humanetech-community/awesome-humane-tech/main/humane-tech-badge.svg?sanitize=true)](https://github.com/humanetech-community/awesome-humane-tech) 4 | 5 | This is a simple demonstration of form fields hidden from the user, but will be 6 | filled anyways when using the browser form autofill feature, which poses a 7 | security risk for users, unaware of giving their information to the website. 8 | 9 | ## Google Chrome behaviour 10 | 11 | Here's the demo in action on the Google Chrome Browser: 12 | 13 | ![Autofill Demo](autofill-demo.gif) 14 | 15 | ## Other browsers 16 | 17 | It works differently in some other browsers. For example: 18 | 19 | * In Safari, it will tell you all the data it is filling into the form, even 20 | if it isn't visible to you. 21 | 22 | * In Firefox, you have to right click an input field and then select an 23 | identity to use. So a Firefox user autofills each field. 24 | 25 | ## Live demo 26 | 27 | View the page at: 28 | [https://anttiviljami.github.io/browser-autofill-phishing/](https://anttiviljami.github.io/browser-autofill-phishing/) 29 | 30 | 31 | ## Contributing 32 | 33 | Please feel free to submit pull requests to this repository for any additional 34 | information you feel is important! 35 | 36 | ## References 37 | 38 | - ["Why you should not use autocomplete" on yoast.com](https://yoast.com/autocomplete-security/) 39 | 40 | --------------------------------------------------------------------------------