Prime Inspiration

Advertisers Are Exploiting Browser-Based Password Managers to Track Users

by

Amarnath Natarajan
in
Security - Login Credentials
Security – Login Credentials

According to a new security report, Ad targeters are pulling your emails and other details by exploiting a loophole in your browser’s password manager. It is not only your browser’s built-in password manager that is affected but also third-party password manager add-ons for your browser like LastPass and 1Password.

The report from Princeton’s Center for Information Technology Policy, claims that third-party scripts have been caught exploiting browser login managers to extract user information from websites for the purpose of tracking Web activity.

The researchers examined two different scripts – AdThink and OnAudience – both of are designed to get identifiable information out of browser-based password managers. Here is how it works:

First, the user fills up login credentials on a certain website and asks the browser to save the information to its login managers. Once the user shifts to another page on the website, these scripts insert an invisible form, which then automatically gets filled by the embedded password manager. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.

This script collects browser features including plugins, MIME types, screen dimensions, language, timezone information, user agent string, OS, and CPU information. Princeton’s report contradicts OnAudience’s claim that it uses only anonymous data.

The plugins focus largely on the usernames, but according to the researchers, there is no technical measure to stop scripts from collecting passwords the same way. The only robust fix would be to change how password managers work, requiring more explicit approval before submitting information

If a publisher directly embeds a third-party script, rather than isolating it in an iframe, the script is treated as coming from the publisher’s origin. Thus, the publisher (and its users) entirely lose the protections of the same origin policy, and there is nothing preventing the script from exfiltrating sensitive information.

These scripts were found in 1110 of the Alexa top 1 million sites, which does not sound too troubling. But it is. Collecting passwords using the same technology may be next.

Currently, there is no fix planned by the companies behind your favorite browsers and Password managers. Therefore, if you are interested in securing your credentials and other data, then you should disable autologin and auto-fill in your browsers and password managers. Additionally, you can employ adblockers and tracking protection addons for your browser to prevent any such third-party tracking.

The full article, complete with a video that demos this vulnerability, is available at this link.

Tags:

, , , , ,
Amarnath Natarajan Avatar
Amarnath Natarajan
I am a freelance programmer and tech enthusiast. In my spare time, I contribute to this website.

Help Us Grow

If you like this post, please share it with your friends.

You are free to copy and redistribute this article in any medium or format, as long as you keep the links in the article or provide a link back to this page.

Subscribe to Newsletter

Privacy Settings

Privacy & Cookie Overview

Our website uses cookies to provide you with the best user experience possible. These cookies are stored in your browser and perform essential functions such as recognizing you when you return to our website, as well as helping us to understand which sections of the website you find most useful and engaging.

To learn more, you can read our Privacy & Cookie Policy or reach out through our Contact form.

Strictly Necessary Cookies

Strictly Necessary Cookies must always be enabled to ensure the proper functioning of this website and to allow us to provide you with excellent service. These cookies are also essential for saving your cookie preferences.

Google Adsense

We use Google AdSense to keep this site free by displaying relevant ads. AdSense requires essential cookies that cannot be disabled, but you can manage other cookies. We respect your privacy and provide options to control non-essential cookies.

For more details on how Google handles your data, visit Google's Data Usage Policy. Please review our Privacy Policy for more information on how we protect your data.

AddToAny

We use AddToAny for social sharing. It doesn’t store cookies, ensuring a privacy-friendly experience. AddToAny complies with GDPR and CCPA by default.

For more, see their Privacy Policy.

OneSignal

We use OneSignal to send notifications to users who opt in. OneSignal complies with GDPR and is certified under the EU-US and Swiss-US Privacy Shield frameworks.

For more, see their Privacy Policy.

3rd Party Cookies

This website utilizes third-party cookies, which can enhance your experience and support our ongoing efforts to improve our services.

Google Analytics

We use Google Analytics to collect anonymous data, such as visitor numbers and popular pages, to improve user experience and site performance. Keeping this cookie enabled helps us refine the site based on visitor activity.

For more information, see Google’s Privacy Policy.

Discover more from Prime Inspiration

Subscribe now to keep reading and get access to the full archive.

Continue reading