https://www.instagram.com/reel/C9DTe87OrTH/
This repo demonstrates an autofill phishing vulnerability in modern day browsers. It highlights how even the latest browsers might be susceptible to this type of basic attack, which has been around for around 8 years.
Many modern day web browsers offer autofill features to enhance user convenience by automatically filling in form fields with saved data. However, this convenience can be exploited due to:
- Attackers can hide input fields on a webpage, which get autofilled without the users knowledge.
- Users often trust autofill to only populate visible fields, unaware that hidden fields can also be filled.
This attack exploits the autofill feature of browsers. Here are the key steps involved:
- Crafted Web Form: The attacker creates a web form with visible and hidden input fields.
- User Interaction: The user visits the malicious website and interacts with the visible form fields.
- Autofill Trigger: The browser's autofill feature automatically populates both visible and hidden fields with saved user data.
- Extraction: The hidden fields capture sensitive information without the user’s knowledge, which is then sent to the attacker.
Inspired by Viljami Kuosmanen - https://github.com/anttiviljami/browser-autofill-phishing