Password Managers can be exploited using Web Trackers

This type of abusive conduct is possible because of a configuration flaw in the login handlers included with all browsers, login managers that allow browsers to memorize a user’s username and password for particular sites and auto-insert it in login fields when the user revisits that site again.

Experts say that web trackers can install hidden login forms on sites anywhere the tracking scripts are loaded. Because of the way the login handlers work, the browser will fill these fields with the user’s login information, such as username and passwords.

The trick is an old one, identified for more than a decade, but until now it’s only been employed by hackers trying to collect login data during XSS (cross-site scripting) attacks.

Princeton researchers say they later found two web tracking settings that utilize hidden login forms to get login information.

Fortunately, none of the two services received password information, but only the user’s username or email address depending on what each area uses for the login process.

The two services are Adthink and On Audience, and Princeton researchers said they recognized scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.

In this particular case, the two corporations were extracting the username/email from the login field, creating a hash, and tieing that hash with the site visitor’s existing advocacy profile.

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user’s email address will essentially never change clearing cookies, using private browsing mode, or switching devices won’t stop tracking. The hash of an email address can be used to attach the pieces of an online profile scattered across different browsers, devices, and mobile apps.

Researchers from the Princeton Center for Information Technology Policy (CITP) also produced a demo page that users can test using false credentials and see if their browser’s login supervisor fills in the hidden field.

About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: