NewsBytes
    Hindi Tamil Telugu
    More
    In the news
    Narendra Modi
    Amit Shah
    Box Office Collection
    Bharatiya Janata Party (BJP)
    OTT releases
    Hindi Tamil Telugu
    NewsBytes
    User Placeholder

    Hi,

    Logout

    India
    Business
    World
    Politics
    Sports
    Technology
    Entertainment
    Auto
    Lifestyle
    Inspirational
    Career
    Bengaluru
    Delhi
    Mumbai

    Download Android App

    Follow us on
    • Facebook
    • Twitter
    • Linkedin
    Home / News / Technology News / Using autofill for passwords? Well, you're being secretly tracked!
    Next Article
    Using autofill for passwords? Well, you're being secretly tracked!

    Using autofill for passwords? Well, you're being secretly tracked!

    By Ramya Patelkhana
    Jan 03, 2018
    02:01 pm

    What's the story

    Almost everyone uses browsers' inbuilt login managers to save their login information that is auto-filled by the browser on websites.

    However, researchers have found this is unsafe. They say third-party scripts can extract users' email addresses from password managers; hash the collected addresses and send them to third-party servers.

    These scripts were found accessing user-names, but they can potentially harvest passwords, too.

    Here's more!

    Quote

    Third-party scripts present on 1,100 top websites

    Researchers said: "We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to...third-party servers. These scripts were present on 1,110 of the Alexa top 1 million sites."

    Details

    Scripts potentially serving targeting advertising

    In a report by Freedom to Tinker (operated by Princeton University's Center for Information Technology Policy), researchers claimed they found two third-party scripts - AdThink and OnAudience- exploiting login managers to steal login credentials.

    They say these scripts can track users irrespective of which website they are accessing. They are likely serving advertisers; AdThink was caught sending information to Axicom, a consumer data company.

    Email addresses

    Why are email addresses collected and hashed?

    Explaining why email addresses are stolen, researchers said email ids are "unique and persistent"; hashing them is an "excellent tracking identifier."

    Using private modes for browsing, clearing cookies, or logging in from different devices cannot prevent tracking.

    They added "hash of an email address" can "connect the pieces of online profile" across browsers, devices, apps and collect browsing history even after cookie clears.

    Invisible Form

    This is how the login information is secretly collected

    The report says once the user enters login information on any website, the browser asks it should be saved in the login manager.

    After the user goes to another page on the website, the third-party scripts "inject an invisible form" that gets filled by the password manager. A loophole causes the login manager to fill the details saved on the previous page automatically.

    Information

    Here's a demo page for testing the attack

    Researchers also created a demo page (https://senglehardt.com/demo/no_boundaries/loginmanager/) for users to test the third-party attack. Users only need to enter a "fake email address and password" and save the information in the login manager. On the next page, the form gets filled automatically by third-party scripts.

    Prevention

    How to prevent third-party tracking scripts?

    The report gave suggestions on how such third-party tracking scripts can be prevented.

    Researchers recommended that publishers should isolate login forms on separate subdomains, preventing auto-filling on non-login pages; however, this is an "engineering complexity". Alternatively, they can isolate third-parties using frameworks like Safeframe.

    They also said users could install ad-blockers and anti-tracking software to prevent third-party tracking apart from disabling "login autofill".

    Facebook
    Whatsapp
    Twitter
    Linkedin
    Related News
    Latest
    Google Chrome

    Latest

    Mitchell Santner floors Delhi Capitals with 3/11: Key stats Mitchell Santner
    IPL 2025, MI beat DC: How the Impact Players fared Indian Premier League (IPL)
    Mumbai Indians reach IPL 2025 playoffs; DC get eliminated: Stats Mumbai Indians (MI)
    Jasprit Bumrah becomes highest wicket-taker against DC in IPL: Stats Jasprit Bumrah

    Google Chrome

    Google and Facebook are leading the online advertisement revolution Facebook
    Puffin Browser: World's fastest browser Ram (Random Access Memory)
    Google Android case will attract a bigger EU fine Android
    7 browsers that would make you more productive! iOS
    Indian Premier League (IPL) Celebrity Hollywood Bollywood UEFA Champions League Tennis Football Smartphones Cryptocurrency Upcoming Movies Premier League Cricket News Latest automobiles Latest Cars Upcoming Cars Latest Bikes Upcoming Tablets
    About Us Privacy Policy Terms & Conditions Contact Us Ethical Conduct Grievance Redressal News News Archive Topics Archive Download DevBytes Find Cricket Statistics
    Follow us on
    Facebook Twitter Linkedin
    All rights reserved © NewsBytes 2025