Like most of your website visits, your browsing sessions probably begin at the login page where you are required to fill in your details to log in. After you hit enter, you might often see a small window pop up asking you if you would like the site to remember your details for your next visit. However, this Autofill (autocomplete) feature can actually be abused by scammers to steal your login credentials.
As a standard feature in most browsers, Autofill is designed to populate form fields with personal and financial data retained from previous browsing sessions. This saves you some typing, and in the case of passwords, saves you from having to remember what they are.
This can be a nice time-saver but also incredibly risky. Why? Because scammers can mimic the same form on other pages of the website.
Settings in Chrome Browser enables you to switch off your Autofill
A quick check of the browser’s settings reveals that Autofill is enabled for all types of data. This includes personal data like your username, password, and shipping address as well as financial data such as credit card details.
When you enter your username and password, if Autofill is enabled, the browser will save your entries. Ordinarily, you would hope that would be the end of the story. However, under a compromised website, a malicious code can be added by a third party to the website’s homepage.
The job of the malicious code is to create an invisible copy of the login form and capture your username and password. You would not be able to see the duplicate login form but the browser can. And when it does, the Autofill feature will kick in and the browser will dutifully populate the form with your credentials. Finally, those details will be duplicated and sent to the scammers’ systems.
It is important to reiterate that this process is being controlled by a third party through the malicious code that they have injected into the website. The website’s owners may not even be aware that this is happening, especially if the malicious code was delivered as part of a malicious ad.
To defend against the possibility of losing your credentials to an unknown third party, it is highly recommended to disable the Autofill function on your browser. Additionally, you can test your browser on this live demo page by entering a fake email address and fake password to check whether your browser’s built-in login manager will automatically fill an invisible login form.