OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Critical Chrome Problem

Chrome has a critical security problem that you need to check if you ever, even occasionally, use Chrome. Their autofill function is very insecure. A new vulnerability was disclosed in late January. If autofill is turned on, and it is turned on by default, critical personal information can be stolen.

How the attack works

A site can appear to offer a simple form with just your name and email address on it. But the miscreants could hide more fields off the screen, usually to the left with negative coordinates. If they do this, Chrome, and possibly other password managers, will see those fields that you don't see and auto-fill them. They could grab credit card numbers, expiration dates, and home addresses this way without you having any idea what was happening.

It is always dangerous to have a program fill in stuff automatically without telling you and requiring that you confirm it. Though it is convenient, it is dangerous. There is no reason to believe that this attack is limited to just Chrome. It probably will also work on other programs that automatically fill in forms for you.

Remember, the fields are being saved on your computer in your browser's data. They may or may not be being saved by the website. If you give a website your credit card security code, it may or may not save it, but your browser may save it on your computer in an unsafe way that allows your browser to divulge the information when you do not want it to.

Once malicious sites decide to target this information, they are bound to come up with lots of nefarious way to access it. So it is best to simply not save it.

What to do

Under Chrome's advanced settings at the bottom of the Settings menu find the Passwords and forms section.

  • The first thing to do is uncheck the Enable Autofill.
  • Next, you can check and see what sorts of stuff you had available to websites that manage to trigger autofill by clicking on "Manage Autofill Settings
  • Finally, I recommend not using Google's password manager, but instead using Keepass or Lastpass. If you insist on using Google's password manager, then be sure and use a good password to encrypt it. You should check if Chrome (or any other browser you use) saved passwords and which ones.
  • Delete any passwords you didn't want your browser to save.

Hopefully, Goggle will fix this problem soon, but really, don't have software automatically giving out your important information without you being in total control.

Date: February 2017

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster