Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Privacy The Internet

Web Trackers Exploit Flaw In Browser Login Managers To Steal Usernames (bleepingcomputer.com) 76

An anonymous reader writes: Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain. This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers. Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user's login information, such as username and passwords.

The trick is an old one, known for more than a decade but until now it's only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks. Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information. The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list. A demo page has been created to show how the tracking works.

This discussion has been archived. No new comments can be posted.

Web Trackers Exploit Flaw In Browser Login Managers To Steal Usernames

Comments Filter:
  • I remember reading about this years ago, and was under the impression that this had been fixed by browsers filling the form fields in the UI, but not in the DOM, until the user explicitly selected one of the fields in the same form. There are still some sneaky things you can do (for example, have a 1px by 1px form field so the user submits more information than they think they are submitting), but you can't just grab the data from the form until the user interacts with some part of it.
    • It should not be. For exactly the reason the article says, a sensible browser will only start autofilling once you start to interact with a field.

      • by fubarrr ( 884157 )

        But nothing prevents a synthetic event from triggering the filling in any webkit based browser

        • If the browser lets the event that triggers the filling be automated, yes. This is the part that must not be possible.

          Again, it's down to the browser, nothing else.

      • You mean like interacting with a keyword search or clicking on a preference tick box? The rest of the form would be invisible and auto-filled.

        I never let browsers store any of my login information. I take my laptop out and about a lot so I assume that it'll get lost or stolen sooner or later (luckily hasn't happened yet). Imagine losing your laptop with easily find-able passwords on it?

        I always use a separate, local, encrypted password manager and copy and paste the credentials across, then the paste-board

    • I remember reading about this years ago, and was under the impression that this had been fixed by browsers filling the form fields in the UI, but not in the DOM, until the user explicitly selected one of the fields in the same form.

      That's the case in Firefox :
      - you need to click on either the username or password field to get a pull-down menu that gives you information about the login, and gives you a selection of passwords saved in the manager.

      Also, with most browsers you get extensions like Block Origin, AdBlock Plus, etc. which are going to block most common advertisers.

      And extensions such as Privacy Badger which is going to block most common tracker.

      And specifically in Firefox (because it requires to either have the new additiona

      • by houghi ( 78078 )

        Firefox 52.5.0 (64-bit)
        Fill out username and pass and remember it. It shows username and pass.
        Redo it and add a new username and/or pass and it will see nothing.
        Remove one of the two and it will show username and pass.
        I deleted the first one. So it did not show the second one when there where two passwords, but did so when only one was available.

        I already have different blockers and trackers, so I installed Privacy Badger. Well, guess what? There was no difference.

        Remember: you still get can get fucked agai

    • by gweihir ( 88907 )

      All the old flaws are coming back, because the younger generation of developers have in general much less of a clue than the ones that created the flaws originally. It is really incredible how utterly clueless many developers are today when it comes to security.

  • My crystal ball tells me we'll hear about a surefire way to block those ad services in no later than 10 postings, 20 tops.

  • Good news (Score:4, Informative)

    by fennec ( 936844 ) on Thursday December 28, 2017 @06:15AM (#55820593)
    I just tested and it does not work with Lastpass (on Chrome)
    • Indeed. It however does work when you manually tell LastPass to fill a password. But nothing in the UI prompts you to do so, so I consider this safe behavior.

      • Indeed. It however does work when you manually tell LastPass to fill a password. But nothing in the UI prompts you to do so, so I consider this safe behavior.

        The important thing is what happens if there is a real login field and the third party fields are hidden.

        It looks like the only safe way to use LastPass is copy-and-paste. Which, in retrospect, makes sense.

        • In OSes and individual applications that might be in focus : clipboard stealing attacks commonly keep getting found, published, occasionally fixed. So you need to track a lot of vulnerabilities if you use copy and paste.

    • Ditto on LastPass and Firefox Developer (although, to be hones, LastPass on Firefox Quantum only seems to work 3/4 of the time anyway...)
    • by AmiMoJo ( 196126 )

      Doesn't work in Chrome full stop. Chrome doesn't auto-fill if any script on the page can read the login form, it waits for the user to start typing in the field. Same with credit card auto fill.

      • I just tried it with Chrome 63.0.3239.108; it retrieved the username immediately.
      • Not sure you actually tried it. I just did with Version 63.0.3239.84 (Official Build) (64-bit), and it immediately pulled the username, and as soon as I clicked on anything on the page it also grabbed the password.

    • This exploit does not works either with Private Windows on Firefox... but actually does works with Firefox Public Windows. Should we use only Firefox's Private windows from now on?
  • So are advertisers. They have no morals, just like marketing graduates...

  • Go to Kinkos, laminate and hang it in your all.

  • by klingens ( 147173 ) on Thursday December 28, 2017 @06:53AM (#55820709)

    This is simply outright what is colloquially known as "hacking". Which is why the CFAA needs to be applied. Why haven't these researchers told their AG?
    After all, when normal users find a unsecured database by some corporation and access it, they get sued too. Same standard here applies, and this time the culprits even use a documented security hole, meaning the crime is wholly willful.

    • by Anonymous Coward

      And the corporations even being located where they can be held responsible. Nice.

  • for the win! :)

  • Seems to prevent it from working. But another browser (Safari on OS X) which doesn’t block scripts by default gave up the credentials.

    So I guess the solution is NoScript or the equivalent.

  • by Anonymous Coward

    are the CEO's arrested yet?
    company assets seized?

    if not, when will this happen?

    • Came here to say this, If these ad companies were harvesting passwords, the punishments need to be dire. People need to go to jail, people at the top.

      Also, I've always thought that browser-integrated password managers were an inherently terrible idea due to the potential for exploits like this, so it's good to be proven right again.

  • More and more, the only defense is don't use it and don't have it.
  • So I wonder how the companies can justify this? I can't think of any compelling legal reason to get users' login information.

    • by Fringe ( 6096 )

      I'm not sure you know the meaning of the word "compelling". Or perhaps "legal". It may not seem ethical, but what they're doing is using another bit of data you are voluntarily (by virtue of your chosen browser settings) providing to "fingerprint" you. It is a bit worse than IP Address or cookie tracking, or way back when mobile phones included a device identifier in the header, but only barely.

      So why is it compelling? Because their revenue is based on tracking and monetizing your interests.

      Why is it le

  • by Anonymous Coward audienceinsights.net behavioralengine.com

  • From TFA:

    Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

    Why would the first party need to steal my email address / username? I just used it to log in to their site!

    • I guess it only says "embedded by" so they may not be aware, or may be complicit in allowing the third-party to also get this information.
  • I don't think Firefox is vulnerable to this because it requires you to click in the field to fill your credentials first.

  • I'll just add this as yet another reason to use an ad blocker, a JavaScript blocker and not use a login manager.

I've noticed several design suggestions in your code.