Browsers — we all use them, and many people (like yours truly) use them almost exclusively.
Of course one of the best things about modern browsers is their in-built password managers. With each site having their own rules for password creation, users creating logins on multiple websites regularly might find managing these different passwords a nightmare. That’s why browser-based password managers have become the most widely used form of saving passwords. After all, who even can remember all of their logins? And even if you can, why’d you want to waste time typing everything out when your web-browser can autofill it for you.
And so, we come to the problem. We’ve known for a while about non-destructive cookies and trackers following users around as they browse. It’s largely to do with ad agencies and marketing companies trying to build a giant database of users, capturing data about their interests, demographics and more, so that they can then either re-sell this to other firms or-or use it for targeted ads.
But attackers with more malicious intentions can use the very same trackers to hack your passwords in the password managers.
According to Princeton University Researchers Gunes Acar, Steven Englehardt, and Arvind Narayanan, quite a number of websites embed tracking scripts that abuse web-browser login managers to extract a user’s email and passwords.
While the fact that web-browser login managers can be exploited by malicious code using XSS to steal user credentials has been known for a long time, the researchers claim that this is the first time anyone has found out that the login managers are being used for tracking users as well.
Here’s how the attack works, in terms as simple as we can make them:
A user signs up on a website and saves their login credentials in the browser’s built-in login manager.
The user navigates to a different web page on the same site, but this time around, the tracking script is present to steal information.
What the script does, is embed a fake login field on the page. A lot of browsers autofill login fields without any user interaction at all, and some, like Chrome, autofill them as soon as the user loads the page. Either way, the login field gets filled.
The script then proceeds to capture the login credentials and sends hashes of the email back to the server for tracking.
Now the question arises, why hashes? The answer is simple. For the most part, it can be assumed that a user’s email doesn’t change over their lifetime. A hash, then, is a permanent way of tracking the user across multiple websites, platforms, and even on mobile apps that they use their emails on. This information is used by the trackers to create an elaborate database of users based on multiple factors, allowing them to easily target users for serving ads, and more malicious intents, if they want to. For instance, users often use the same email-and-password combination for different websites. So if an attacker cracks one password associated with an email, they may be able to access other accounts too by simply using the same passwords or variants with minor changes.
The researchers found two scripts that were stealing data using this technique, and scarily enough, the scripts were embedded in 1,110 of Alexa’s top 1 million websites.
Adthink, one of the companies using the scripts, according to the researchers, contains very detailed categories for user-data it collects, including things like education, occupation, hair color, eye color, net income and more. It even contains categories like alcohol and tobacco.
Vulnerabilities like this one are nothing new; in fact, they’ve been known and discussed for at least 11 years. However, browser vendors don’t work on it, because as far as user experience goes, everything works fine — the browser autofills passwords in login fields, users save time and are free to use complex passwords that essentially enhance security on the web.
So what can we do about this? The researchers mention three different ways to tackle a problem such as this one.
Website builders can place login forms on separate sub-domains, preventing autofill from working on other webpages that may have third party tracking scripts attached to them.
Users can use ad-blockers and anti-tracking extensions to automatically block these scripts.
Web browsers can (and should) allow users to disable autofill functionality completely. It sounds a little extreme, but if a user is worried about their data, disabling autofill is probably their best bet.
The attack is a fairly easy one to perform, and one that has serious privacy ramifications on the user. If you’re interested in finding out how it works, you can check it out in action in this demo.
In addition, it’s wise to build a habit of good password practices. Don’t repeat the same password across key logins. Keep changing them periodically and ensure they are not made up of easily-identifiable words or numbers such as your birth-date or 12345678, or god forbid, the word, password!