Login Managers Exploited By Third-Party Scripts To Capture User Emails

The lengths that advertisers and others will go to in order capture user identifies has been revealed by Princeton University researchers.

They warned that password or login managers were being used by third-party scripts to collect user email addresses.

It comes after Princeton University warned last November that there were more than 480 websites actively tracking every single keystroke made by visitors.

Invisible Forms

But now fresh research from Princeton University researchers Gunes Acar, Steven Englehardt, and Arvind Narayanan, has found that browser password or login manager is being exploited by web trackers.

They said on the Freedom to Tinker website (hosted by Princeton University’s Center for Information Technology Policy) that “a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.”

The problem stems from when a user visits a webpage and fills out a login form. The browser often asks if they want to save the login details.

“The underlying vulnerability of login managers to credential theft has been known for years,” they wrote. “Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analysed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.”

It seems that the researchers examined two different scripts designed to get information from browser-based password managers.

“We found two scripts using this technique to extract email addresses from login managers on the websites which embed them,” they wrote. “These addresses are then hashed and sent to one or more third-party servers.”

The way these scripts work is that they inject invisible login forms into the background of a webpage and gather whatever the browser autofills into the available slots.

This information can then be used as a persistent ID to track users from web page to page.

“Built-in login managers have a positive effect on web security,” the researchers said. “Yet, browser vendors should reconsider allowing stealthy access to autofilled login forms in the light of our findings. More generally, for every browser feature, browser developers and standard bodies should consider how it might be abused by untrustworthy third-party scripts.”

Do Not Track

The discovery of these scripts is bound to raise some legal questions as these scripts seem to gather email addresses and web habits without specific user consent.

The Do Not Track campaign a couple of years ago proved immensely popular. It was designed to stop websites and advertisers from tracking the web browsing habits of people.

Indeed, online privacy remains a serious issue for some web users.

Previous research from Symantec for example found that one in three of us have provided false information online in order to safeguard our privacy.

Quiz: What do you know about privacy?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

NHS Challenged Over Data Contract With Palantir

Contract between NHS and data mining firm Palantir now at centre of lawsuit filed by…

56 mins ago

California Can Enforce Its Own Strict Net Neutrality Law

Open Internet Victory? Ruling from US federal judge rejects attempt by US broadband providers to…

2 hours ago

Australia Passes Amended ‘Media Bargaining Law’

Australia becomes first country in the world where a government arbitrator can set prices tech…

5 hours ago

Facebook Oversight Board Confirms Appeal Over Trump Ban

Unnamed 'user' files appeal with Facebook's Supreme Court (the Oversight Board) against the 'indefinite' ban…

6 hours ago

Facebook To Invest $1 Billion In News Industry

After the very public row with the Australian government, Facebook confirms it is investing $1…

24 hours ago

EU Opens Consultation On Gig Economy Worker Rights

After UK's top court rules Uber drivers are workers, European Commission begins consultation on gig…

1 day ago