Almost everyone uses browsers’ inbuilt login managers to save their login information that is auto-filled by the browser on websites.
However, researchers have found this is unsafe. They say third-party scripts can extract users’ email addresses from password managers; hash the collected addresses and send them to third-party servers.
These scripts were found accessing user-names, but they can potentially harvest passwords, too.
Details Scripts potentially serving targeting advertising
In a report by Freedom to Tinker (operated by Princeton University’s Center for Information Technology Policy), researchers claimed they found two third-party scripts – AdThink and OnAudience- exploiting login managers to steal login credentials.
They say these scripts can track users irrespective of which website they are accessing. They are likely serving advertisers; AdThink was caught sending information to Axicom, a consumer data company.
Email addresses Why are email addresses collected and hashed?
Explaining why email addresses are stolen, researchers said email ids are “unique and persistent”; hashing them is an “excellent tracking identifier.”
Using private modes for browsing, clearing cookies, or logging in from different devices cannot prevent tracking.
They added “hash of an email address” can “connect the pieces of online profile” across browsers, devices, apps and collect browsing history even after cookie clears.
Invisible FormThis is how the login information is secretly collected
The report says once the user enters login information on any website, the browser asks it should be saved in the login manager.
After the user goes to another page on the website, the third-party scripts “inject an invisible form” that gets filled by the password manager. A loophole causes the login manager to fill the details saved on the previous page automatically.
Here’s a demo page for testing the attack
PreventionHow to prevent third-party tracking scripts?
The report gave suggestions on how such third-party tracking scripts can be prevented.
Researchers recommended that publishers should isolate login forms on separate subdomains, preventing auto-filling on non-login pages; however, this is an “engineering complexity”. Alternatively, they can isolate third-parties using frameworks like Safeframe.
They also said users could install ad-blockers and anti-tracking software to prevent third-party tracking apart from disabling “login autofill”.