Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames (browser design flaw)

[LASER_oneXM]

Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain.

This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers, login managers that allow browsers to remember a user's username and password for specific sites and auto-insert it in login fields when the user visits that site again.

Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user's login information, such as username and passwords.

Old browser design flaw. New abuse.

The trick is an old one, known for more than a decade [1, 2, 3, 4, 5], but until now it's only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks.


Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information.


Fortunately, none of the two services collected password information, but only the user's username or email address —depending on what each domain uses for the login process.


The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.

At the time of writing, all major browsers except Brave appear to be vulnerable to this type of attack, coughing up usernames and passwords from the hidden login fields.

Only Chromium-based browsers will delay the disclosure of the user's password until the user has interacted with the page via a click, albeit this is not a very secure method of protecting users, as most end up on clicking on a page.

Many site owners are probably unaware of this questionable tracking tactic, which means they are also unaware that they may be in a clear violation of the EU's upcoming GDPR regulation.


The simplest way to prevent such attacks would be if browsers would autofill the login fields only on user interaction with the actual login fields. If the fields are hidden, the user won't interact with them and this attack would become inefficient.

 

[oneeye]

I'm a bit late on this issue, but the main research was done by this group who found the replay-script issue, and this is second in that series.
No boundaries for user identities: Web trackers exploit browser login managers

Now, I wonder if using a master password in Firefox would prevent this invisible form from autofill? Chrome wouldn't, because as soon as you tap a page, it automatically fills forms if info available. Any browsers using Webview on newer Android would do the same. Only Firefox has master password that I'm aware of.

 

[DeepWeb]

It's incredible how this is not illegal. How is this not illegal? It's downright stealing credentials.

 

[oneeye]

It's incredible how this is not illegal. How is this not illegal? It's downright stealing credentials.

Absolutely it's Theft! And I'm not completely sure adblockers can keep up with all the garbage being slung at users these days. We definitely need some strong privacy laws to stop this shat soon!

 

[Danielx64]

The answer is to not use the password manager built into the browser

 

[oneeye]

The answer is to not use the password manager built into the browser

Very true! I do have "Keepass 2 for Android", which has a built-in keyboard for autofill, avoiding the insecure clipboard. And since I'm mobile only, this open-source freeware is the perfect solution.