Is your browser’s built-in login manager leaking your username (and possibly your password too)?
Researchers at Princeton’s Center for Information Technology Policy have uncovered two third-party tracking scripts, that can scoop up information provided by your browser’s login manager to create a persistent identifier, tracking you as you move between webpages.
Here’s how it happens:
- You visit a webpage and fill out a login form. Your browser asks you if you want to save the login details.
- Later, you visit a different page on the same website, which includes the third-party tracking script. The tracking script inserts a login form that is invisible to the naked eye onto the webpage, and your browser’s password manager automatically fills in your credentials.
- The third-party script snaffles up your email address from the invisible form’s field and sends a hash to a third-party server.
What’s the solution? Simple. Don’t use a login manager that autofills forms without you giving it explicit permission to do so. You might be wiser using a product like 1Password, whose developers confirmed was designed to always insist on user approval before filling forms.
If you allow your browser to automatically submit your username and password into forms silently and invisibly, there is always the danger that a malicious site or script may steal the information.
The two scripts spotted by the Princeton researchers – AdThink and OnAudience – appear to have been designed to grab hashed usernames to identify web visitors for ad-tracking purposes, but there is no technical reason why the same approach couldn’t also be used to steal autofilled passwords.
The researchers have built an online demo, where you can test whether you might be vulnerable.
It should go without saying – don’t enter real credentials on that demo page!
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.