Ad firms using invisible login forms to steal user credentials from Chrome & Safari

Ad firms using invisible login forms to steal user credentials from Chrome & Safari

FCA e-commerce SCA rules

Leading ad firms are secretly obtaining credentials of web users from password managers on Google Chrome and Safari by running invisible login forms on web pages, researchers have revealed.

Third party scripts used by ad firms Adthink and OnAudience are extracting credentials of web users to track their browsing patterns and to deliver targeted advertisements.

In a revelation that won’t really surprise cyber security experts but will be seen as extremely intrusive by web users across the world, researchers at Princeton University have explained how ad firms like Adthink and OnAudience are using covert techniques to steal user credentials from password managers running on popular browsers like Google Chrome and Safari.

Third party scripts being run by these two ad firms, and possibly many more similar firms, are running login forms in the background in thousands of websites which are invisible to website visitors. This way, they are able to obtain credentials from password managers which autofill such forms without the knowledge or consent of the user.

‘First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers,’ the researchers noted.

They added that ad firms like Adthink and OnAudience are taking advantage of built-in password managers on popular browsers that automatically fill in username and password data to make the login experience more seamless. By tracking email addresses of users and capturing their hashes using this technique, ad firms are able to determine a user’s browsing habits and preferences across browsers, apps as well as devices.

Based on their analysis, the researchers said that password managers that autofill credentials on login forms are not only security vulnerabilities but also significant privacy threats. However, website publishers can protect their visitors’ identities by putting login forms on separate domains, thereby isolating third-party scripts and their login forms.

At the same time, website visitors who use password managers can install ad blockers or tracking protection extensions to prevent tracking by invasive third-party scripts. Covert stealing of user credentials can also be stopped by web browsers by deactivating the autofill feature in their password managers or by mandating express user consent before auto filling login forms on websites.

‘Built-in login managers have a positive effect on web security: they curtail password reuse by making it easy to use complex passwords, and they make phishing attacks are harder to mount. Yet, browser vendors should reconsider allowing stealthy access to auto-filled login forms in the light of our findings. More generally, for every browser feature, browser developers and standard bodies should consider how it might be abused by untrustworthy third-party scripts,’ the researchers concluded.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]