Security researchers have uncovered how marketing companies have commenced exploiting an 11-year-old bug in browsers’ built-in password managers, which allow them to secretly steal your email address for targeted advertising across different browsers along with devices.
The major concern will be that will the same loophole could allow malicious actors to steal your saved usernames along with passwords by browsers without requiring your interaction.
Every modern browser—Google Chrome, Mozilla Firefox, Opera or Microsoft Edge—today comes which has a built-in easy-to-use password manager tool that will allows you to save your login information for automatic form-filling.
These browser-based password managers are designed for convenience, as they automatically detect login form on a webpage along with fill-inside saved credentials accordingly.
However, a team of researchers by Princeton’s Center for Information Technology Policy has discovered that will at least two marketing companies, AdThink along with OnAudience, are actively exploiting such built-in password managers to track visitors of around 1,110 of the Alexa top 1 million sites across the Internet.
Third-party tracking scripts found by researchers on these websites inject invisible login forms inside background of the webpage, tricking browser-based password managers into auto-filling the form using the saved user’s information.
“Login form auto filling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form,” the researchers say.
“Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. various other browsers we tested don’t require user interaction to autofill password fields.”
Since these scripts are primarily designed for user-tracking, they detect the username along with send the idea to third-party servers after hashing with MD5, SHA1 along with SHA256 algorithms, which could then be used as a persistent ID for a specific user to track him/her by page to page.
“Email addresses are unique along with persistent, thereby the hash of an email address will be an excellent tracking identifier,” the researchers said. “A user’s email address will almost never change—clearing cookies, using private browsing mode, or switching devices won’t prevent tracking.”
Although the researchers have spotted marketing firms scooping up your usernames using such tracking scripts, there will be no technical measure to prevent these scripts by collecting your passwords the same way.
However, most third-party password managers, like LastPass along with 1Password, are not prone to that will attack, since they avoid auto-filling invisible forms along with require user interaction as well.
Researchers have also created a demo page, where you can test if your browser’s password manager also leaks your username along with password to invisible forms.
The simplest way to prevent such attacks will be to disable the autofill function on your browser.
Incoming search terms:
- Android oreo status bar