There are a few things you'll hear in every conversation about internet security; one of the first ones would be to use a password manager. I've said it, most of my coworkers have said it, and chances are you've said it while helping someone else sort out ways to keep their data safe and sound. It's still good advice, but a recent study from Princeton University's Center for Information Technology Policy has found that the password manager in your web browser you might use to keep your information private is also helping ad companies track you across the web.
It's a frightening scenario from all sides, mostly because it's not going to be easy to fix. What's happening isn't the stealing of any credentials — an ad company doesn't want your username and password — but the behavior a password manager uses is being exploited in a very simple way. An ad company places a script on a page (two called out by name are AdThink and OnAudience) that acts as a login form. It's not a real login form, as in it's not going to connect you to any service, it's "just" a login script.
How it works
When your password manager sees a login form, it enters a username. Browsers tested were: Firefox, Chrome, Internet Explorer, Edge, and Safari. Chrome, for example, will not enter the password until the user interacts with the form, but it enters a username automatically. That's fine because that is all the script wants or needs. Other browsers behaved the same, as expected.
Once your username is entered, it and your browser ID are hashed into a unique identifier. You don't need to save anything on your computer or phone because the next time you visit a site that is using the same ad company you get another script acting as a login form and your username is once again entered. The data is compared to what's on file, and et voilà a unique identifier has been attached to you and can be (and is being) used to track you across the web. And this works because this is expected and "trusted" behavior. Besides a roadmap of your internet habits, data found to be attached to this UUID also includes browser plugins, MIME types, screen dimensions, language, timezone information, user agent string, OS information, and CPU information.
The set of heuristics used to determine which login forms will be auto-filled varies by browser, but the basic requirement is that a username and password field be available
It works because of what's known as the Same Origin Policy. When content from two different sources is presented it is not to be trusted, but once a source is trusted all content for the current session is also trusted (trust in this sense means you're purposefully viewing or interacting with the content). You've directed your browser to a webpage and interacted with a login form on that page, so it's all treated as being trusted while you're on the page. In this case, though, the script was embedded into a page but is actually from a different source and shouldn't be trusted until you've clicked or interacted in some way to show you intended to be there.
If the offending page elements were embedded in an iframe or another method that matches the source and destination of the data, the automatic-ness of this exploit (and yes, I'll call it an exploit) wouldn't work.
There's a very good chance that the web publishers using ad services that exploit this behavior have no idea of what's happening to their users. While that doesn't exempt them from responsibility it is ultimately their product being used to harvest data from users without their knowledge, and that should make every site administrator concerned (and possibly very irate). As a user, there's not much we can do other than follow the same "incognito" web browsing practices used when we want to stay a little more private on the web. That means to block all scripts, block all ads, save no data, accept no cookies and basically treat each web session as its own sandbox.
Can it be fixed?
The only true fix is to change the way password managers work through the browser — both built-in tools and extensions or other plugins. Arvind Narayanan, one of the professors who worked on the project, puts it succinctly: "It won't be easy to fix, but it's worth doing."
Google, Microsoft, Apple, and Mozilla all shaped the web into what it is today, and they are capable of changing things to meet new issues. Hopefully, this is on the short list of changes.
The premium Lenovo Yoga C940 14 takes on the Yoga C740 14. Which one wins?
These two laptops come from the same family, but they're quite different with a price to reflect the premium offerings on the Yoga C940. Which one is right for you? We compare the two to help you decide.
Skype is great for Windows 10 users, even if people don't use it
Skype has apps everywhere, tons of features, and hundreds of millions of people have Skype accounts, but it's not known as a messaging app. Here's why Skype is the best communication app for users on Windows 10.
Master email with one of these awesome apps for Windows 10
Looking for a bit of variety in your email game? Need something powerful to handle the mail you send and receive? These are the best email apps for Windows 10.
Here's what you can use to block ads on Edge
Ad blockers are a wonderful thing. They do exactly what they're supposed to: block ads when browsing the web. Here's the best for Microsoft Edge.