As users we are always on the lookout for ways to save time and effort. That’s why almost everyone uses the autocomplete function of web browsers, with which you can enter typical information in just a few clicks. No one can doubt that this is a very useful feature.

And yet, as published on Bleeping Computer, the self- tagging features can be used to steal personal data in phishing campaigns. And it is enough to use forms with hidden fields to extract it without the user knowing it, completely opaque and without suspicion.

The ruling has been discovered by Finnish security specialist Viljami Kuosmanen. In your Twitter account you have posted a GIF in which you can see a demonstration of how this procedure works …

In the demo it is seen that it is possible and very, very easy to use hidden fields to collect all information from the self-saving profile. And it’s just one of the many things a hacker can do.

This way data is extracted from the autocomplete

To do so, a web site created for the occasion is used. Simply invite users to fill in their name and email address. From there, the hack takes advantage of that when entering the first letter of its name the user will use the suggestion of autocomplete as fast as it appears.

Thus the data is automatically filled in, and although the person who introduced them may think that the browser was, for example, by entering their email address for it, they were actually storing their personal data . Not only the electronic address, but also you can get the postcard, phone number and other details.

This technique is very similar to that used in tools like LastPass and other similar web browser extensions that store user data, which always generate controversy. It is a very simple method that could be very useful in phishing campaigns that use brute force.

Speaking to the media, Kuosmanen said …

I have known this problem for some time. Something similar (honeypots) is used to catch bots and avoid spam. This is part of the same idea, only that the catch is real users instead of bots. The idea for the demo came after Chrome went to fill in for itself and erroneously the fields of an e-commerce website. Then I went to see what details Chrome had saved for auto completion and I was amazed at how much information was available.

For now the only advice we can give is to disable the autocomplete function. It is the only way (for now) to know that your personal data is safe.