Ad Targeters Are Pulling Data From Your Browser’s Password Manager
The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.
The plugins focus largely on the usernames, but according to the researchers, there’s no technical measure to stop scripts from collecting passwords the same way. The only robust fix would be to change how password managers work, requiring more explicit approval before submitting information.
Update (2018-01-02): Nick Heer:
I’m not sure if I’ve come across these scripts specifically, but on a few occasions, I have been surprised to see a Face ID indicator appear while visiting a website, without explicitly tapping in a login form.
Because 1Password insists on user action to fill a web form, it’s immune to the particular attack from advertising trackers and a large family of related attacks.
But, presumably, a tracking script on the login page would receive the form data.
Publishers, users, and browser vendors can all take steps to prevent autofill data exfiltration. We discuss each in turn.
Publishers can isolate login forms by putting them on a separate subdomain, which prevents autofill from working on non-login pages. This does have drawbacks including an increase in engineering complexity. Alternately they could isolate third parties using frameworks like Safeframe. Safeframe makes it easier for the publisher scripts and iframed scripts to communicate, thus blunting the effect of sandboxing. Any such technique requires additional engineering by the publisher compared to simply dropping a third-party script into the web page.
Users can install ad blockers or tracking protection extensions to prevent tracking by invasive third-party scripts. The domains used to serve the two scripts (behavioralengine.com and audienceinsights.net) are blocked by the EasyPrivacy blocklist.
Now we turn to browsers. The simplest defense is to allow users to disable login autofill.
Unfortunately, if you disable automatic AutoFill in Safari, you cannot then invoke it manually when you know you’re on a login page. The “AutoFill Form” command in the Edit menu is disabled.
See also: the 1Password blog post.
Update (2018-01-24): Ricky Mondello:
Safari Technology Preview 48 changes how Password AutoFill works. Safari will no longer automatically fill user names and passwords into forms shortly after page load to prevent sharing information without user consent.