Casa > cibernético Notícias > Tracking Scripts Exploit Browsers’ Built-in Gerenciamento de Senhas
CYBER NEWS

Scripts de rastreamento explorar os navegadores’ Built-in Gerenciamento de Senhas

técnicas de publicidade modernos são muitas vezes fronteira malicioso, especialmente quando se trata das maneiras empresas de marketing de recolher informações pessoais dos usuários. A team of pesquisadores from Princeton’s Center for Information Technology Policy just discovered that at least two marketing companies are actively taking advantage of built-in password managers to track visitors of thousands of websites.

Story relacionado: Verdade e Publicidade IRL: Pare de anúncios direcionados de segui-lo

The very same loophope which has been known for at least a decade could also allow attackers to steal users’ saved usernames and passwords from browsers without requiring any interaction and without users’ knowledge.

What is worse is that all major and widely used browsers such as Google Chrome, Mozilla Firefox, Ópera, and Microsoft Edge are equipped with a built-in easy-to-use password manager that manages users’ saved login information for automatic form-filling.

How Third-Party Scripts Exploit Browser’s Built-In Login / Password Managers

Em sua pesquisa, the experts “show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness.” This is perhaps the first official research to show that login managers are being abused by third-party scripts for the purposes of web tracking.

What is mostly troublesome here is that this type of vulnerability in login managers for browsers has been known for quite some time.

Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) ataques, os pesquisadores explicaram. The good news is that the team hasn’t found password theft on the 50,000 sites that were analyzed in the process. Em vez de, researchers found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for creating tracking identifiers.

Researchers came across tracking scripts on websites that inject invisible login forms in the background of the page. This misleads browser-based password managers and makes them auto-fill the form with the saved user’s credentials.

Login form auto filling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) imediatamente, regardless of the visibility of the form.

How Your Email Becomes an Excellent Tracking Identifier

Chrome in particular doesn’t auto-fill the password field until the user clicks or touches anywhere on the page. The rest of the browsers the researchers examined don’t require any user interaction to auto-full password fields. What usually happens is that these scrips detect the username of the user and send it to third-party servers, but first the usernames are hashed with MD4, SHA1 and SHA256 algorithms. This information can be used as a persistent user ID to track that user from page to page, pesquisadores explicam.

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user’s email address will almost never change—clearing cookies, using private browsing mode, or switching devices won’t prevent tracking.

Story relacionado: Google sabe sobre você, Saber Sobre Google!

Felizmente, third-party password managers are not vulnerable to this type of “marketing” attacks. Most password managers avoid auto-filling invisible forms and require user interaction to use them. As for the built-in browser password managers, the easiest way to prevent this behavior from ever taking place is by disabling the autofill function within the browser.

Researchers have provided a demo page where users can teste whether their browsers’ password managers expose usernames and passwords.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...