How Your Autofill Might Be Helping Hackers
Autofill tools save time, but attackers can silently exploit them using hidden code
When browsers automatically fill in saved usernames and passwords, most users feel grateful, not alarmed. But new research presented at the 2024 Annual Computer Security Applications Conference (ACSAC) shows that this convenience can quietly open the door to browser autofill vulnerability attacks.
The study, “Leaky Autofill: An Empirical Study on the Privacy Threat of Password Managers' Autofill Functionality,” exposes how password manager exploits using invisible iframes can silently siphon off login credentials without the user ever knowing.
A hidden trap in autofill convenience
Autofill is meant to save time by filling in login details automatically, especially on sites you visit often. But the same convenience that makes it helpful also makes it risky. The study shows that attackers can hide invisible frames on malicious or hacked websites. These hidden frames can trick your browser into autofilling saved usernames and passwords - without you ever seeing a thing - so that hackers can steal the information.
According to the researchers, this vulnerability doesn’t require user interaction. In fact, it only takes a user to visit a malicious site or a site compromised with malicious third-party content. Once there, malicious third parties can auto-insert the user's credentials into hidden login forms. They then capture them and transmit them to an attacker-controlled server.
Major browsers are vulnerable
The research team tested the attack on the top five desktop browsers: Chrome, Edge, Safari, Firefox, and Brave. They found Chrome, Edge, and Safari vulnerable to the full version of the attack. Firefox and Brave blocked some of the behavior, but still leaked autofilled data under certain conditions.
Notably, Chrome password leak behavior occurred when a user inserted autofill credentials into iframes, even when they were invisible and off-screen. Safari’s password manager is slightly more conservative but still exhibits risky behavior and invisible iframe attacks under specific scenarios. Only Brave and Firefox exhibit partial resistance. However, even that isn't enough to consider users fully safe.
No warnings, no clues
One of the most troubling aspects of the attack is how stealthy it is. The autofill happens behind the scenes, with no visual indicators or prompts. Users don’t click anything or see anything out of the ordinary. There are no popups, no permissions requested - nothing to alert a person that their browser security flaws are being exploited.
Even cautious users who avoid phishing and use trusted browser extensions can still be at risk. If a trusted website gets hacked or shows ads from a third-party source, it might unknowingly load a hidden attack using invisible frames.
Researchers call for stronger browser protections
The authors of the study recommend that browser vendors tighten the default behavior of autofill systems. At a minimum, autofill should require visible and user-initiated interaction before inserting credentials. They also suggest that browsers stop populating any fields inside iframes by default, particularly invisible ones.
The study also encourages web developers to implement security headers that prevent unauthorized embedding.
What you can do now
Until browser makers roll out fixes, the researchers recommend turning off autofill for passwords in browser settings, especially for users in high-risk categories like journalists, activists, or IT admins. Using a standalone password manager outside of your browser also helps to reduce exposure to iframe-based attacks.
In the meantime, users should be cautious about websites that include third-party scripts or advertising networks, as these are common vectors for iframe injection. Even a routine news site could unwittingly expose users to stolen credentials online.
To stay educated on additional ways that cybercrime can reach you, read up on these studies about how hackers can utilize your old phone numbers and how email autofill can open accidental back doors.
