Leading ad firms are secretly obtaining credentials of web users from password managers on Google Chrome and Safari by running invisible login forms on web pages, researchers have revealed.
Third party scripts used by ad firms Adthink and OnAudience are extracting credentials of web users to track their browsing patterns and to deliver targeted advertisements.
In a revelation that won’t really surprise cyber security experts but will be seen as extremely intrusive by web users across the world, researchers at Princeton University have explained how ad firms like Adthink and OnAudience are using covert techniques to steal user credentials from password managers running on popular browsers like Google Chrome and Safari.
Third party scripts being run by these two ad firms, and possibly many more similar firms, are running login forms in the background in thousands of websites which are invisible to website visitors. This way, they are able to obtain credentials from password managers which autofill such forms without the knowledge or consent of the user.
‘First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers,’ the researchers noted.
They added that ad firms like Adthink and OnAudience are taking advantage of built-in password managers on popular browsers that automatically fill in username and password data to make the login experience more seamless. By tracking email addresses of users and capturing their hashes using this technique, ad firms are able to determine a user’s browsing habits and preferences across browsers, apps as well as devices.
Based on their analysis, the researchers said that password managers that autofill credentials on login forms are not only security vulnerabilities but also significant privacy threats. However, website publishers can protect their visitors’ identities by putting login forms on separate domains, thereby isolating third-party scripts and their login forms.
At the same time, website visitors who use password managers can install ad blockers or tracking protection extensions to prevent tracking by invasive third-party scripts. Covert stealing of user credentials can also be stopped by web browsers by deactivating the autofill feature in their password managers or by mandating express user consent before auto filling login forms on websites.
‘Built-in login managers have a positive effect on web security: they curtail password reuse by making it easy to use complex passwords, and they make phishing attacks are harder to mount. Yet, browser vendors should reconsider allowing stealthy access to auto-filled login forms in the light of our findings. More generally, for every browser feature, browser developers and standard bodies should consider how it might be abused by untrustworthy third-party scripts,’ the researchers concluded.