Login Managers Exploited By Third-Party Scripts To Capture User Emails

The lengths that advertisers and others will go to in order capture user identifies has been revealed by Princeton University researchers.

They warned that password or login managers were being used by third-party scripts to collect user email addresses.

It comes after Princeton University warned last November that there were more than 480 websites actively tracking every single keystroke made by visitors.

Invisible Forms

But now fresh research from Princeton University researchers Gunes Acar, Steven Englehardt, and Arvind Narayanan, has found that browser password or login manager is being exploited by web trackers.

They said on the Freedom to Tinker website (hosted by Princeton University’s Center for Information Technology Policy) that “a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.”

The problem stems from when a user visits a webpage and fills out a login form. The browser often asks if they want to save the login details.

“The underlying vulnerability of login managers to credential theft has been known for years,” they wrote. “Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analysed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.”

It seems that the researchers examined two different scripts designed to get information from browser-based password managers.

“We found two scripts using this technique to extract email addresses from login managers on the websites which embed them,” they wrote. “These addresses are then hashed and sent to one or more third-party servers.”

The way these scripts work is that they inject invisible login forms into the background of a webpage and gather whatever the browser autofills into the available slots.

This information can then be used as a persistent ID to track users from web page to page.

“Built-in login managers have a positive effect on web security,” the researchers said. “Yet, browser vendors should reconsider allowing stealthy access to autofilled login forms in the light of our findings. More generally, for every browser feature, browser developers and standard bodies should consider how it might be abused by untrustworthy third-party scripts.”

Do Not Track

The discovery of these scripts is bound to raise some legal questions as these scripts seem to gather email addresses and web habits without specific user consent.

The Do Not Track campaign a couple of years ago proved immensely popular. It was designed to stop websites and advertisers from tracking the web browsing habits of people.

Indeed, online privacy remains a serious issue for some web users.

Previous research from Symantec for example found that one in three of us have provided false information online in order to safeguard our privacy.

Quiz: What do you know about privacy?