There are a few things you'll hear in every conversation about internet security; one of the first ones would be to use a password manager. I've said it, most of my coworkers have said it, and chances are you've said it while helping someone else sort out ways to keep their data safe and sound. It's still good advice, but a recent study from Princeton University's Center for Information Technology Policy has found that the password manager in your web browser you might use to keep your information private is also helping ad companies track you across the web.
It's a frightening scenario from all sides, mostly because it's not going to be easy to fix. What's happening isn't the stealing of any credentials — an ad company doesn't want your username and password — but the behavior a password manager uses is being exploited in a very simple way. An ad company places a script on a page (two called out by name are AdThink and OnAudience) that acts as a login form. It's not a real login form, as in it's not going to connect you to any service, it's "just" a login script.
How it works
When your password manager sees a login form, it enters a username. Browsers tested were: Firefox, Chrome, Internet Explorer, Edge, and Safari. Chrome, for example, will not enter the password until the user interacts with the form, but it enters a username automatically. That's fine because that is all the script wants or needs. Other browsers behaved the same, as expected.
Once your username is entered, it and your browser ID are hashed into a unique identifier. You don't need to save anything on your computer or phone because the next time you visit a site that is using the same ad company you get another script acting as a login form and your username is once again entered. The data is compared to what's on file, and et voilà a unique identifier has been attached to you and can be (and is being) used to track you across the web. And this works because this is expected and "trusted" behavior. Besides a roadmap of your internet habits, data found to be attached to this UUID also includes browser plugins, MIME types, screen dimensions, language, timezone information, user agent string, OS information, and CPU information.
It works because of what's known as the Same Origin Policy. When content from two different sources is presented it is not to be trusted, but once a source is trusted all content for the current session is also trusted (trust in this sense means you're purposefully viewing or interacting with the content). You've directed your browser to a webpage and interacted with a login form on that page, so it's all treated as being trusted while you're on the page. In this case, though, the script was embedded into a page but is actually from a different source and shouldn't be trusted until you've clicked or interacted in some way to show you intended to be there.
If the offending page elements were embedded in an iframe or another method that matches the source and destination of the data, the automatic-ness of this exploit (and yes, I'll call it an exploit) wouldn't work.
There's a very good chance that the web publishers using ad services that exploit this behavior have no idea of what's happening to their users. While that doesn't exempt them from responsibility it is ultimately their product being used to harvest data from users without their knowledge, and that should make every site administrator concerned (and possibly very irate). As a user, there's not much we can do other than follow the same "incognito" web browsing practices used when we want to stay a little more private on the web. That means to block all scripts, block all ads, save no data, accept no cookies and basically treat each web session as its own sandbox.
Can it be fixed?
The only true fix is to change the way password managers work through the browser — both built-in tools and extensions or other plugins. Arvind Narayanan, one of the professors who worked on the project, puts it succinctly: "It won't be easy to fix, but it's worth doing."
Google, Microsoft, Apple, and Mozilla all shaped the web into what it is today, and they are capable of changing things to meet new issues. Hopefully, this is on the short list of changes.
Yeah, that doesn't surprise me at all. It's why I've always kept form autocomplete turned off.
I would like to know how the Brave browser behaves with such things. No one ever seems to include them in such tests and it is my primary browser as it blocks ALL advertising on websites. It has become my primary browser and I see no reason to return to any of the usual browsers as not one of them has the ad filtering ability of Brave.
Using a rare browser actually puts you at greater risk from fingerprinting
I never store my passwords in browser. I use Bruce Schneier's Password Safe. Works great!
I use Enpass and I would imagine it would protect you from this since you have to put in your password in order to access the Enpass saved passwords. Plus, Enpass pretty much tells you everytime you do something.
I want to believe so and to me it doesnt auto submit anything i have to click for the password i want to be entered
So no solution as of yet?
Oh no... I'm being tracked on the INTERNET! You mean that I can't expect personal privacy in an entirely public space!?!
He means you are a moron. And we all agree.
Moron it is.
Roboform doesn't autofill anything unless you tell it to. Both the Firefox addon and Edge extension behave this way.
Get the best of Windows Central in in your inbox, every day!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.