Browser Password Manangers Exploited for User Tracking

Password managers are supposedly there to make web browsing easier and more convenient, but just recently news outlets that cover security issues have reported that these tools may not be as safe as we would want them to be. Therefore, in this article, we will cover the main issues pointed out by news reports that are associated with password manager tools. While these issues are not extremely grave, and it is up to you whether you want to keep using them, security experts suggest turning off the auto-fill function if you value your privacy.

Ad Network Abuse

From what we have gathered, this tracking mostly affects those logins details that rely mostly on email addresses. For instance, some login ID might be something you have come up yourself, while other sites may request that you enter your email address for your login ID. Later on, browser password manager uses tracking scripts to auto-fill the login details, so that the moment you open that website, you would get to your account at once, without needing to go through the manual login process again.

picture_01

These tracking scripts, however, can be exploited by certain ad networks to collect email addresses. The main problem here is that the same technique could be exploited to capture your passwords, too. So this shows that password managers may not be safe, no matter what the browser tells you. Please be aware that this vulnerability is present in all the most-commonly used password managers, including the built-in managers in popular web browsers (like Chrome or Firefox) and password manager extensions. Hence, there is a very good chance that the auto-fill tool may leak your information to unreliable third parties. Of course, that would not happen on purpose, but if a third party can find a way to attain its goals, it will sure do so.

How Does It Work?

As mentioned, the password manager will memorize your login credentials when you sign in to a website for the first time. You will sure notice a pop-up box on your browser that asks you whether you want the password manager to remember your login details. Normally, most of us click “Yes” without any second thought.

Now, the problem here is that quite a lot of the websites that we want to access run a lot of third-party advertising scripts. They usually run in the background, and these advertising campaigns can now exploit the password managers by creating fake login boxes. This happens in the background, and you do not even get to see those boxes, but they automatically trigger the password manager to fill out those details. As a result, the scripts capture your credentials.

The Importance of Unique Password

According to the report published by Freedom to Tinker, there are at least 1110 websites out there that advertisers use to capture user credentials. And those are not just your random websites. They are on the top of the most popular web pages, so it means that the number of users affected by this technique will only grow.

The sheer number of accounts infected will only grow if users use the same passwords across several different accounts. It goes without saying that once a third party gets a hold of your credentials, they can sign into your account. But now imagine if you use the same login and password for multiple accounts across the web: They could access them all!

Should I still use a Password Manager?

Yes. Cyber security experts are rather straightforward in this case. The point is that password manager can still help you store a lot of unique passwords across different platforms. And that is obviously safer than using one password for multiple accounts.

However, if there is one thing you should definitely consider doing that would be disabling the auto-fill option. Perhaps that would make account access less convenient, but it would surely be safer. The main problem here at the moment is that there are no regulations that would stop advertising companies from collecting your credentials via password managers.

Same Origin Policy

It is especially disturbing because the researchers at Freedom to Tinker claim that this vulnerability has been out there for at least 11 years. They say that this vulnerability persisted because technically, that is not a vulnerability big enough that could be considered a problem by browser developers.

The reason is that the Same Origin Policy is used as a framework for web’s security. It means that if the third-party content is embedded in the website directly by the publisher, it is treated as the “same origin” content, and the script is being considered safe. What’s more, this direct embedding is very common, and so these third-party scripts pass the security screening, and they can run freely without the fear of being exposed.

The bottom line is that Same Origin Policy is not equipped enough to cater to the realities of today’s Internet. There are bound to be many debates about this topic in the future, and browser vendors and publishers may share different views on the matter.

How to Fight This?

Since there are several parties affected by this vulnerability, all those parties can do something to prevent the data from being collected. According to Freedom to Tinker, publishers can use a separate subdomain to isolate login forms. Of course, such measures require additional engineering, and it might not be worth the trouble from the publishers’ perspective.

As far as users are concerned, they can use ad blockers to prevent invasive third-party scripts. Of course, there are certain websites out there that require you to keep your ad-block extension (if you use one) off if you want to enjoy all the services. So some users may not be too eager to use ad-blocks, but please remember that the option is always there.

Finally, as we have mentioned before, for browsers, it would be better to disable the auto-fill settings. It will not be disabled automatically because the function is very popular, so you should keep that in mind the next time you are about to log into your account on some page.

Overall, it will be interesting to follow the developments in this area. And we can only hope that this vulnerability will not be exploited by cyber criminals, as it might greatly undermine browser security in 2018.

References:

  1. Gunes Acar. No boundaries for user identities: Web trackers exploit browser login managers. Freedom to Tinker.
  2. Jerry Hildenbrand. Your web browser’s password manager is helping ad companies track you across the web. Android Central.
  3. Chris Hoffman. You Should Turn Off Autofill in Your Password Manager. How-To Geek.
  4. Nancy Owano. Researchers: Login managers abused by third-party scripts for tracking purposes. TechXplore.
  5. Chris Smith. Browser-based password managers are being exploited by advertisers. BGR