How This Attack Works
When you use browser autofill, it fills ALL matching fields on a page - even ones you can't see. A form asking for just your name might secretly have hidden fields for your credit card, address, and phone number.
Hidden Fields
Fields positioned off-screen or with zero dimensions that autofill still populates.
Invisible Fields
Fields with opacity: 0 or visibility: hidden that still receive autofill data.
Covered Fields
Fields hidden under other elements but still functional for autofill.
Demo 1: "Simple Contact Form"
Looks innocent - just asks for your name and email. Click in a field and use autofill to see what happens.
Data That Would Be Stolen:
Demo 2: "Newsletter Signup"
A typical newsletter form - just wants your email, right? Try autofill and see what else it grabs.
Data That Would Be Stolen:
Demo 3: "Quick Checkout" (Most Dangerous)
Appears to be a simple form, but has hidden credit card fields. This is the scariest attack vector.
Data That Would Be Stolen:
Why Does This Work?
- Browsers match form fields by their
autocomplete attribute and name
- Autofill doesn't check if fields are visible - it fills everything that matches
- CSS hiding (position, opacity, display) doesn't prevent autofill
- Users only see the visible fields and don't realize other data was entered
- The form submission sends ALL field values, including hidden ones
How to Protect Yourself
- Disable autofill for sensitive data - Turn off credit card and password autofill in browser settings
- Use a password manager - They only fill fields you explicitly click on
- Check before submitting - Use browser dev tools (F12) to inspect forms on suspicious sites
- Use virtual cards - Services like Privacy.com create disposable card numbers
- Keep browsers updated - Modern browsers have some protections against this
- Be cautious on unfamiliar sites - Don't use autofill on sites you don't trust
This demo is for educational purposes. No data is collected or transmitted.