Security researcher Viljami Kuosmanen has discovered that autofill will also paste information into hidden text boxes, allowing scammers to steal information without users knowing. This could include name, personally identifying information, email address, phone number and addresses.

Credit card details could also be affected, although browsers tend to warn users before inputting this information on insecure sites.

As an example of how the scam could work, Kuosmanen created a website that asks for a user’s name and email address but contains hidden boxes that are automatically filled with address, organisation and phone number.

The attack only works if users select one of the autofill suggestions, meaning the best method of protection is to avoid clicking on these until a fix has been released. Disabling autofill is also a possibility, as is managing security settings. For example, Chrome users can deselect “Enable Autofill to fill out web forms in a single click” in Settings -> Advanced.

It doesn’t affect Mozilla’s Firefox browser as this autofills each field individually.