A simple demo of phishing by abusing the browser autofill feature
Branch: master
Clone or download
anttiviljami Merge pull request #9 from randonia/javascript-event-handling
Show the user doesn't even need to provide input (ie: click submit) if automatic fill is on
Latest commit 3c61afb Jan 7, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes 🌅 Jan 5, 2017
LICENSE.md 🌅 Jan 5, 2017
autofill-demo.gif 🌅 Jan 5, 2017
index.html Adds an input event listener to everything, negating the need for a u… Jan 7, 2017
package.json 🌅 Jan 5, 2017
readme.md Added reference to prior art Jan 7, 2017


Browser Autofill Phishing 🐟

GitHub license

This is a simple demonstration of form fields hidden from the user, but will be filled anyways when using the browser form autofill feature, which poses a security risk for users, unaware of giving their information to the website.

Google Chrome behaviour

Here's the demo in action on the Google Chrome Browser:

Autofill Demo

Other browsers

It works differently in some other browsers. For example:

  • In Safari, it will tell you all the data it is filling into the form, even if it isn't visible to you.

  • In Firefox, you have to right click an input field and then select an identity to use. So a Firefox user autofills each field.

Live demo

View the page at: https://anttiviljami.github.io/browser-autofill-phishing/


Please feel free to submit pull requests to this repository for any additional information you feel is important!