Sign up for The Paypers newsletter Follow The Paypers on LinkedIn Follow The Paypers on Twitter Follow The Paypers on Facebook Follow The Paypers on Google +
The Paypers, paypers, Insight in payments, News, Reports, Events
Digital Identity, Security & Online Fraud

Password managers could let scammers steal sensitive information

Wednesday 11 January 2017 | 09:37 AM CET

Recently a new flaw has been discovered in popular browsers and password managers that lets scammers steal sensitive information.

The use of multiple usernames and passwords across different sites has become common online practice, and therefore people increasingly turn to password managers and browser autofill, which saves personal information and automatically pastes it to prevent repetitive typing, in order to log in.

The discovered flaw affects the autofill function on browsers including Google's Chrome and Apple's Safari. It also affects some plugins and add-ons including the LastPass password manager , according to The Telegraph.

Viljami Kuosmanen, a security researcher, has discovered that autofill will also paste information into hidden text boxes, allowing scammers to steal information without users knowing. This could include name, personally identifying information, email address, phone number and addresses.

To show how it works, Kuosmanen created a website that asks for a user's name and email address but contains hidden boxes that are automatically filled with address, organisation and phone number. The attack only works if users select one of the autofill suggestions, meaning the best method of protection is to avoid clicking on these until a fix has been released. Disabling autofill is also a possibility, as is managing security settings. For example, Chrome users can deselect "Enable Autofill to fill out web forms in a single click" in Settings -> Advanced.

It doesn't affect Mozilla's Firefox browser as this autofills each field individually, the online publication added.

More: Link