A novel, complicated side-channel attack that exploits browser’s autofill preview functionality to infer information in user's profile.
The demos are for educational and demonstration purposes only!
The attack_demos folder needs to be uploaded to the public folder on webserver.
multiple_emails.html: obtain the email addresses from multiple profiles in the autofill.
The page infers the email address from 40,463 candidate values.
Affected browsers: prior to 89.0.4389.72.
Affected versions: all.
- Set up the address profile on Chrome.
Settings -> Autofill -> Addresses and more.
Set the email address between [email0, email40462]. You may have multiple profiles.
-
Visit the page at http://yourdomain.com/attack_demos/multiple_emails.html
-
Click the input field and mouse over different profiles. The page displays the results immediately.
preview_cc.html: infer user's credit card number from 102k candidate values. Payment autofill requires https connection.
Affected browsers: all Chromium-based browsers.
Affected versions: prior to 84.0.4147.89.
- Set up the payment profile on Chrome.
Settings -> Autofill -> Payment methods
Set the credit card number between [4123456789000000 - 4123456789100333].
-
Visit the page at https://yourdomain.com/attack_domos/preview_cc.html.
-
Click the input field and mouse over the profile. There are a few seconds delay before the page shows the result, depending on the device.
preview_phone.html: infer user's phone number from 102k candidate values.
Affected browsers: all Chromium-based browsers.
Affected versions: prior to 84.0.4147.89.
- Set up the address profile on Chrome.
Settings -> Autofill -> Addresses and more.
Set the phone number between [1234000000 - 1234100866].
-
Visit the page at http://yourdomain.com/attack_demos/preview_phone.html
-
Click the input field and mouse over the profile. There are a few seconds delay before the page shows the result, depending on the device.
- generate and distribute 40k email addresses to 199 <select> elements.
python3 attack_demos/menu_generator_py/generate_html.py- generate and distribute 100k phone numbers to 198 <select> elements.
python3 attack_demos/menu_generator_py/generate_html_phone.py- generate and distribute 100k credit card numbers to 198 <select> elements.
python3 attack_demos/menu_generator_py/generate_html_cc.pyA chrome extension that detects autofillable, hidden elements in a visitied page. It shows a warning message on lax mode, and remove these hidden elements on strict mode.
We provide the source code modification as a patch to Chromium.
The crawler is running on top of Selenium and an intrumented Chromium (Version 81.0.4009.0) / Firefox (Nightly Version 74).
In a crawl conducted during November 2019, these web pages were found to have hidden HTML elements autofilled by Chrome/Firefox.
You can read more about the details of our work in the following research paper:
Fill in the Blanks: Empirical Analysis of the Privacy Threats of Browser Form Autofill
If you use our code, data, or otherwise conduct research related to our work, please cite our paper PDF:
@inproceedings{lin2020fill,
title={Fill in the Blanks: Empirical Analysis of the Privacy Threats of Browser Form Autofill},
author={Lin, Xu and Ilia, Panagiotis and Polakis, Jason},
booktitle={Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security},
pages={507--519},
year={2020}
}