Using autofill for passwords? Well, you're being secretly tracked!
Almost everyone uses browsers' inbuilt login managers to save their login information that is auto-filled by the browser on websites. However, researchers have found this is unsafe. They say third-party scripts can extract users' email addresses from password managers; hash the collected addresses and send them to third-party servers. These scripts were found accessing user-names, but they can potentially harvest passwords, too. Here's more!
Third-party scripts present on 1,100 top websites
Researchers said: "We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to...third-party servers. These scripts were present on 1,110 of the Alexa top 1 million sites."
Scripts potentially serving targeting advertising
In a report by Freedom to Tinker (operated by Princeton University's Center for Information Technology Policy), researchers claimed they found two third-party scripts - AdThink and OnAudience- exploiting login managers to steal login credentials. They say these scripts can track users irrespective of which website they are accessing. They are likely serving advertisers; AdThink was caught sending information to Axicom, a consumer data company.
Why are email addresses collected and hashed?
Explaining why email addresses are stolen, researchers said email ids are "unique and persistent"; hashing them is an "excellent tracking identifier." Using private modes for browsing, clearing cookies, or logging in from different devices cannot prevent tracking. They added "hash of an email address" can "connect the pieces of online profile" across browsers, devices, apps and collect browsing history even after cookie clears.
This is how the login information is secretly collected
The report says once the user enters login information on any website, the browser asks it should be saved in the login manager. After the user goes to another page on the website, the third-party scripts "inject an invisible form" that gets filled by the password manager. A loophole causes the login manager to fill the details saved on the previous page automatically.
Here's a demo page for testing the attack
Researchers also created a demo page (https://senglehardt.com/demo/no_boundaries/loginmanager/) for users to test the third-party attack. Users only need to enter a "fake email address and password" and save the information in the login manager. On the next page, the form gets filled automatically by third-party scripts.
How to prevent third-party tracking scripts?
The report gave suggestions on how such third-party tracking scripts can be prevented. Researchers recommended that publishers should isolate login forms on separate subdomains, preventing auto-filling on non-login pages; however, this is an "engineering complexity". Alternatively, they can isolate third-parties using frameworks like Safeframe. They also said users could install ad-blockers and anti-tracking software to prevent third-party tracking apart from disabling "login autofill".
