In the wake of the massive Equifax breach, it’s pretty safe to say that data privacy is something we should all be concerned about. And even if you are staying vigilant about following modern network and data security best practices, a simple website setting may actually be putting your personal data at risk.
What is Autofill?
By default, your website browser remembers information that you submit through form fields on various websites. In this way, it can then offer both the autocomplete feature – where a suggestion is made for possible completion of the field once you start typing – and autofill, which is where certain fields are pre-populated for you.
Generally these features are enabled as the default setting.
The clear benefit from the user experience perspective is convenience.
It saves keystrokes - and therefore time -- when your browser can autofill data like your shipping or billing address for you. And businesses love it too, as it removes a proven barrier to conversion, i.e. the annoyance of filling out a long form that can cause potential leads or customers to abandon the form or shopping cart prior to completion.
After all, the best forms are the ones that we don’t have to spend time filling in ourselves.
It's a great solution, except for one thing...storing vulnerable data in our browser is a potential privacy and security risk.
What’s the Risk of Using AutoFill?
Earlier this year, a Finnish web developer and hacker named Viljami Kuosmanen discovered that by using the autofill features, browsers could be easily tricked into providing more personal information than intended on phishing sites.
The exploit – used on malicious sites - worked by obscuring certain text boxes, so that users won’t know they’ve been autofilled. It was discovered to work in Google Chrome, Safari, and Opera along with the LastPass plug-in.
The browser will typically only autofill the fields that are being asked for, withholding the rest. But this exploit signaled the browser to provide the data, while keeping it hidden from the user.
In short, it means that while users thought they were just providing first name and email address on one of these phishing sites, they were actually providing much more sensitive data into hidden fields, possibly including card information.
You can visit Github to see his original post, and watch a .gif that shows what he filled in versus what was captured.
While that’s just one recent example, it underscores the fact that hackers are well aware that there is a treasure trove of personal data on us stored in our browsers…all they have to do is figure out how to get to it, or to trick either us or the browsers (or both) into providing it.
The reality is that this bug is unlikely to be the only one out there. It may not even be the best or most clever one. We can’t know for sure, but what we do know is that saving your sensitive personal information in your web browser carries no guarantee of privacy in an age where cybersecurity threats, hacks, exploits and data breaches are the norm.
How to Disable AutoFill in Your Browser
If you’ve come to the conclusion that convenience of using autofill doesn’t outweigh your data security concerns, here is how you can disable autofill in the different browsers:
- Click on the 3-dot menu in the top right corner
- Go to Settings
- Scroll Down and Click on Advanced Settings
- Scroll down to Passwords and forms > Autofill settings
- Open this dialog box and then uncheck or use the slider button to disable Autofill
While in the Chrome Autofill settings section, you can also check towards the bottom of the page to review what – if any – credit cards you have previously saved and take the opportunity to decide if you want to delete them.
You may also want to consider reviewing the Manage Passwords section. You can use the 3-dots on the right to remove any saved passwords and/or turn off the Auto-Sign in feature that enables you to sign in to websites automatically using saved credentials.
- Go to Preferences and then select the Autofill header
- You’ll see a list of autofill information and from there, you can uncheck any data that you don’t want to allow Autofill to have access to
- Click on the 3-dots in the top right corner of the browser
- Go to Settings
- Scroll down to the bottom and click on Show Advanced Settings
- In the Privacy and services section, use the slider bar to turn off the Save form entries option
- Firefox requires manual autofill for text boxes, so no adjustments are necessary in this browser.
- Click the Opera button
- Go to Settings > Privacy & security
- Scroll down to Autofill
- Uncheck “enable auto-filling of forms on webpages” feature
Caution is King In a Data-Driven World
The fundamental question here is what’s the cost to you of this type of convenience?
Is saving a few keystrokes worth the risk when phishing schemes like this one are so commonplace these days?
It’s a question that we all need to be asking ourselves, given the vulnerability of our online profiles and the potential worst-case scenarios that can result from identify theft or loss of other private information.
We prefer to err on the side of caution, which is why we recommend that you at minimum avoid sharing personal information via forms on websites that you are unsure of, in case they are malicious sites in disguise.
Even better though is to disable autofill altogether, to avoid inadvertently sharing more information than you intend.
This of course is by no means a guarantee against a data breach, but it is one small (but important) step that you can take - among others - to help protect your privacy.
Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use.