Google Chrome’s autofill is unsafe, may allow websites to steal credit card information


Autofill in Google Chrome, the feature that lets you save your information inside Chrome and automatically fill in online forms, is very convenient, but what if this convenience could send credit card information to web servers? It’s very possible, and this is something users should be aware of if they store such information within their Google Chrome web browser.

According to a Yoast report by Joost de Valk, web developers could simply request users to sign up to a newsletter with all the necessary sign-up fields available. However, that same developer could attach a separate field for credit card information, but the user wouldn’t know this because it’s hidden from sight.

A pretty clever trick if you ask us, one that could really come in handy if someone wants to swipe few credit card information from unsuspecting users on the web.

Now, it’s not all that terrible to use autofill if you don’t stoer financial information with it, but if you use your credit card quite often online, you might want to think twice about having it on. Our advice to you? Turn that thing off and save yourself the trouble. Here’s how to do it young Padawan.

Fire up your Chrome web browser, go to settings, click on the advanced tab, then uncheck autofill under Password and Forms. That’s it, you’re now safe from harm.

Moreover, if you really want to have your credit card information automatically appear in some text box on the Internet, you can try LastPass. It’s more secure than Google Chrome’s data and password management, and it also gives the user more control.

[via Yoast]

Related Posts

  • Bub

    The Yoast article includes a sample form that shows you how this is done. With Chrome’s developer tools, you can reveal the hidden form fields and see how they are being populated, without even submitting the form to Yoast.

    I tried it out, and although my credit card information is stored in Chrome, I found that the form would not autopopulate the credit card fields, unless I actually used autocomplete on the cc-number, cc-exp-month, or cc-exp fields. And when you do that, Chrome pops up its dropdown with the credit card logo, so you know that it is happening.

    In short, I don’t think that it has been demonstrated that this technique can be used to steal credit card information without your knowledge. On the other hand, it is able to grab other information such as full name, physical address, and email address. Although the sample form didn’t include telephone, I was able to twiddle it to see that it could grab that as well.

  • Mikerman

    Thanks for calling attention to this and the alert–I knew there was a reason why I never felt, over the years, that I wanted to store credit card numbers in browser autostores . . . .

  • Fundi

    I took note of the information, and found that I could, in fact, delete any credit card info from Google, yet still retain street address, or other info that could help fill in forms. I have tried various password managers, and over the years have settled on Dashlane ( as the best for me.