Welcome to WebmasterWorld Guest from 54.162.105.6

Forum Moderators: phranque

Featured Home Page Discussion

Browser Login Managers Exploited for Web Tracking

     
11:03 am on Jan 2, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25202
votes: 685


Research published in the last few days shows how password manager tools in browsers are being exploited for web tracking. The scripts track usernames, but could be adapted to extract passwords, according to the researchers.
The researchers examined two different scripts AdThink and OnAudience both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising. Browser Login Managers Exploited for Web Tracking [theverge.com]
1:08 pm on Jan 2, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 263
votes: 20


Creativity, black hat style. Thanks for the tip.
11:09 pm on Jan 3, 2018 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 10, 2004
posts: 443
votes: 40


I hope they come up with some browser fixes soon, maybe along the lines of the browser prompting you before it attempts an autofill.
5:31 am on Jan 4, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:11144
votes: 662


I've been telling people not to store their logins in browsers from the start. It was just a matter of time. Sorry for those who got burned.
6:16 pm on Jan 4, 2018 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 10, 2004
posts: 443
votes: 40


^^^ Why I use an external password manager!
3:13 pm on Jan 5, 2018 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Mar 2, 2017
posts:51
votes: 5


That's too bad. I'm still thinking that password is encrypted right? In chrome in order to check a particular password you need to give your OS credentials, am I right? If that is not enough, as motorhaven said, hopefully they come up with something quickly.
8:53 pm on Jan 5, 2018 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:July 23, 2004
posts:520
votes: 53


Hasn't Google been doing this already for years? .. I read somewhere a few years ago that refreshing or otherwise clearing cache in Chrome didn't eliminate the fact that Google still knew where you had been and what you were doing even after cache was cleared, and effectively picked up where you had left off.
11:08 am on Jan 9, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:11144
votes: 662


AFAIK Firefox has been the most vulnerable of the major browsers. The stored usernames and passwords are in 2 interconnected files, accessible from both the user's local machine as well as online.

Chrome keeps them encrypted in cloud storage.

I still wouldn't trust the security of any web browser with this level of sensitive information. Bank & credit card logins... Account logins where other sensitive personal information is on file... nope.

However, some people do this without giving it any thought at all. I even have a friend who's bank cheques display his full name, home address, telephone number, driver licence number and social security number. He sees nothing wrong with that :)
12:35 pm on Jan 11, 2018 (gmt 0)

New User

joined:Jan 11, 2018
posts:2
votes: 0


After so many years, I stopped using lastpass for good. Google's own password manager seems to work very well.