Modern advertising techniques are often borderline malicious, especially when it comes to the ways marketing companies gather users’ personal information. A team of researchers from Princeton’s Center for Information Technology Policy just discovered that at least two marketing companies are actively taking advantage of built-in password managers to track visitors of thousands of websites.
The very same loophope which has been known for at least a decade could also allow attackers to steal users’ saved usernames and passwords from browsers without requiring any interaction and without users’ knowledge.
What is worse is that all major and widely used browsers such as Google Chrome, Mozilla Firefox, Opera, and Microsoft Edge are equipped with a built-in easy-to-use password manager that manages users’ saved login information for automatic form-filling.
How Third-Party Scripts Exploit Browser’s Built-In Login / Password Managers
In their research, the experts “show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness.” This is perhaps the first official research to show that login managers are being abused by third-party scripts for the purposes of web tracking.
What is mostly troublesome here is that this type of vulnerability in login managers for browsers has been known for quite some time.
Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks, the researchers explained. The good news is that the team hasn’t found password theft on the 50,000 sites that were analyzed in the process. Instead, researchers found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for creating tracking identifiers.
Researchers came across tracking scripts on websites that inject invisible login forms in the background of the page. This misleads browser-based password managers and makes them auto-fill the form with the saved user’s credentials.
Login form auto filling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form.
How Your Email Becomes an Excellent Tracking Identifier
Chrome in particular doesn’t auto-fill the password field until the user clicks or touches anywhere on the page. The rest of the browsers the researchers examined don’t require any user interaction to auto-full password fields. What usually happens is that these scrips detect the username of the user and send it to third-party servers, but first the usernames are hashed with MD4, SHA1 and SHA256 algorithms. This information can be used as a persistent user ID to track that user from page to page, researchers explain.
Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user’s email address will almost never change—clearing cookies, using private browsing mode, or switching devices won’t prevent tracking.
Fortunately, third-party password managers are not vulnerable to this type of “marketing” attacks. Most password managers avoid auto-filling invisible forms and require user interaction to use them. As for the built-in browser password managers, the easiest way to prevent this behavior from ever taking place is by disabling the autofill function within the browser.
Researchers have provided a demo page where users can test whether their browsers’ password managers expose usernames and passwords.