Autofill FUD

Last week, while browsing various news feeds and websites, I took a scroll through Facebook and saw this video posted from our local morning show, Breakfast Television. They were talking about a Lifehacker post that referenced a github repository belonging to Viljami Kousmanen. The doom and gloom statements of the video are pretty clear evidence of what’s wrong with some “journalism” today. Ultimately this is FUD... FUD that’s been picked up and discussed by a number of online publications. What we’re talking about here is not some mastermind phishing attack or a ploy to steal your confidential information. Instead, we’re talking about a function of a browser that is being abused in a very minor way to obtain additional details. There are ultimately two types of data referenced here:

1. Contact Details – Name, Address, Phone Number, Email, Company
2. Confidential Details – Credit Card, Passwords

It’s actually interesting that they purposely call out LastPass in the article and video to further heighten the FUD because there’s a big difference between #1 and #2 on the list above. Before we discuss the types of data this affects, let’s talk about the logic involved in this process. While others are calling this an exploit, I don’t feel that term fits, so I’ll stick with process. My favorite text related to this so far was the subheadline on the ZDNet article – ‘Some browsers will turn over a user’s autofill information – even when the website doesn’t ask for it.’ This made me laugh because the browser is asking for it, which is why autocomplete provides it. You just don’t get a visual representation of this. To understand this further, we have to know how the website we visit are displayed to us. They are written in HTML (and a variety of other languages). HTML (Hyper Text Mark-up Language) provides tags that define the visual representation of the website. Your browser interprets these tags into the rendering of the website that you see. We’re a long ways from the plain text websites of the 90s. Instead, we have visually appealing websites that require a substantial amount of layout. This layout is done using CSS (Cascading Style Sheets), which describes how the element the tag defines is supposed to be displayed. For example, HTML allows me to create a button that says ‘Submit’, while CSS can specify the font and colour of that button. With this proof of concept, the data that is “phished” is asked for by your browser; however, the CSS defines that the input box be drawn 500 pixels past the left margin with the following statement: style=”margin-left:-500px”. This causes your browser to display the input box beyond the bounds of the browser window, essentially making it invisible. So the website is asking for it; you just can’t see it. This violation of trust is the same reason why you are constantly told not to open attachments from people you don’t know and to avoid browsing to websites you don’t trust. Now that we’ve talked about the process involved, let’s take a look at the two pieces of data that are involved in this discussion... this first being your contact details. This is the text that autocomplete is designed to populate for you. Your name, address, email, etc. are ultimately not that “private”. If you’re using the internet and entering this data into websites, then people already have it. (And if it’s already in your autocomplete, you are clearly doing that.) You should not assume this data is private and you should not assume that people cannot obtain it. If you don’t believe that, run a quick search for your name on FamilyTreeNow.com or Spokeo and see the details that are available. So the fact that someone can take a few additional pieces of data that you don’t know about is not a big deal. In fact, many would consider it to be pretty minor. Keep in mind that these are random websites designed to steal your information and not necessarily legitimate sites that you may not want friends and family to know you visit. The second data was what I referred to as ‘confidential data’; these are items like your credit card details and your passwords. While nothing states that your password can be obtained (because it can’t be), they definitely imply it with the reference to LastPass in the various articles and videos. The reality is that a setup like this is not going to steal your passwords, especially from a tool like LastPass, which associates your credentials and additional data with a specific domain. Any data that is obtained is simply contact details like those referenced above. With credit card information, there is a possibility that this data will be obtained. If you have used a website in the past and told your browser to save your credit card details, the first question I have is WHY? You should NEVER allow any tool to save your credit card data. This is a cardinal sin. So if you haven’t told it to save it, there’s the option that autocomplete remembered it. Except that there shouldn’t be... because all reputable websites should have autocomplete=off defined for all credit card related input boxes. If you are looking at purchasing from a website, enter in fake data the first time and, when you return, see if your browser attempts to autocomplete that data. If it does, the website has not taken the bare minimum of steps to meet PCI compliance, and you should find another place to shop. In the end, yes... there is a small risk that some personal information will be leaked, but this is not private information. Anything confidential you should already be safeguarding, and if you’re practicing proper security hygiene, items like credit card details and passwords will never be leaked to a website designed to do this. Ultimately, you should be using multiple browser profiles to further disconnect your real identity and your browsing persona.