Some Advertiser Scripts Found to Use Browser Password Manager for User Tracking

Gunes Acar, Steven Englehardt, and Arvind Narayanan of Princeton’s Center for Information Technology Policy:

The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

The image above shows the process. First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.

Russell Brandom, the Verge:

The plugins focus largely on the usernames, but according to the researchers, there’s no technical measure to stop scripts from collecting passwords the same way. The only robust fix would be to change how password managers work, requiring more explicit approval before submitting information.

I’m not sure if I’ve come across these scripts specifically, but on a few occasions, I have been surprised to see a Face ID indicator appear while visiting a website, without explicitly tapping in a login form. I appreciate automatically-filled forms, but I do wish browsers would ask my permission first before handing over my email address and password.

Also, I think it’s worth pointing out how deliberate this is on the part of the trackers in question. Someone had to write the code to track users in this manner. Moreover, someone who manages them had to approve of this tracking mechanism. I can think of no circumstance under which someone could consider this kind of tracking ethical or morally sound.