Autofill Security Demo

See how malicious websites can use hidden form fields to steal your personal information through browser autofill.

How This Attack Works

When you use browser autofill, it fills ALL matching fields on a page - even ones you can't see. A form asking for just your name might secretly have hidden fields for your credit card, address, and phone number.

Hidden Fields

Fields positioned off-screen or with zero dimensions that autofill still populates.

Invisible Fields

Fields with opacity: 0 or visibility: hidden that still receive autofill data.

Covered Fields

Fields hidden under other elements but still functional for autofill.

Demo 1: "Simple Contact Form"

Looks innocent - just asks for your name and email. Click in a field and use autofill to see what happens.

Data That Would Be Stolen:


          

        


        
        

          
Demo 2: "Newsletter Signup"

          
A typical newsletter form - just wants your email, right? Try autofill and see what else it grabs.


          

            

              
              

                
                
              


              
              

                
                
              

              

                
                
              

              

                
                
              

              

                
                
              


              

                
                
                
              

            

          


          

            
Data That Would Be Stolen:

            

          

        


        
        

          
Demo 3: "Quick Checkout" (Most Dangerous)

          
Appears to be a simple form, but has hidden credit card fields. This is the scariest attack vector.


          

            

              
              

                
                
              


              
              

                
                
              

              

                
                
              

              

                
                
              

              

                
                
              


              

                
                
                
              

            

          


          

            
Data That Would Be Stolen:

            

          

        

      


      

        
Why Does This Work?

        
    
          
  • Browsers match form fields by their autocomplete attribute and name
    • 
          
  • Autofill doesn't check if fields are visible - it fills everything that matches
    • 
          
  • CSS hiding (position, opacity, display) doesn't prevent autofill
    • 
          
  • Users only see the visible fields and don't realize other data was entered
    • 
          
  • The form submission sends ALL field values, including hidden ones
    • 
        

      


      

        
How to Protect Yourself

        
    
          
  • Disable autofill for sensitive data - Turn off credit card and password autofill in browser settings
    • 
          
  • Use a password manager - They only fill fields you explicitly click on
    • 
          
  • Check before submitting - Use browser dev tools (F12) to inspect forms on suspicious sites
    • 
          
  • Use virtual cards - Services like Privacy.com create disposable card numbers
    • 
          
  • Keep browsers updated - Modern browsers have some protections against this
    • 
          
  • Be cautious on unfamiliar sites - Don't use autofill on sites you don't trust
    • 
        

      


      

        
This demo is for educational purposes. No data is collected or transmitted.

        
← Digital Awareness Tool | Home