This type of abusive conduct is possible because of a configuration flaw in the login handlers included with all browsers, login managers that allow browsers to memorize a user’s username and password for particular sites and auto-insert it in login fields when the user revisits that site again.
Experts say that web trackers can install hidden login forms on sites anywhere the tracking scripts are loaded. Because of the way the login handlers work, the browser will fill these fields with the user’s login information, such as username and passwords.
The trick is an old one, identified for more than a decade, but until now it’s only been employed by hackers trying to collect login data during XSS (cross-site scripting) attacks.
Princeton researchers say they later found two web tracking settings that utilize hidden login forms to get login information.
Fortunately, none of the two services received password information, but only the user’s username or email address depending on what each area uses for the login process.
The two services are Adthink and On Audience, and Princeton researchers said they recognized scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.
In this particular case, the two corporations were extracting the username/email from the login field, creating a hash, and tieing that hash with the site visitor’s existing advocacy profile.
Researchers from the Princeton Center for Information Technology Policy (CITP) also produced a demo page that users can test using false credentials and see if their browser’s login supervisor fills in the hidden field.