Password Managers can be exploited using Web Trackers

This type of abusive conduct is possible because of a configuration flaw in the login handlers included with all browsers, login managers that allow browsers to memorize a user’s username and password for particular sites and auto-insert it in login fields when the user revisits that site again.

Experts say that web trackers can install hidden login forms on sites anywhere the tracking scripts are loaded. Because of the way the login handlers work, the browser will fill these fields with the user’s login information, such as username and passwords.

The trick is an old one, identified for more than a decade, but until now it’s only been employed by hackers trying to collect login data during XSS (cross-site scripting) attacks.

Princeton researchers say they later found two web tracking settings that utilize hidden login forms to get login information.

Fortunately, none of the two services received password information, but only the user’s username or email address depending on what each area uses for the login process.

The two services are Adthink and On Audience, and Princeton researchers said they recognized scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.

In this particular case, the two corporations were extracting the username/email from the login field, creating a hash, and tieing that hash with the site visitor’s existing advocacy profile.

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user’s email address will essentially never change clearing cookies, using private browsing mode, or switching devices won’t stop tracking. The hash of an email address can be used to attach the pieces of an online profile scattered across different browsers, devices, and mobile apps.

Researchers from the Princeton Center for Information Technology Policy (CITP) also produced a demo page that users can test using false credentials and see if their browser’s login supervisor fills in the hidden field.

Take your time to comment on this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients