Most web browsers come with a built-in password manager, a basic tool to save login data to a database and fill out forms and/or sign in to sites automatically using the information that is in the database.
Users who want more functionality rely on third-party password managers like LastPass, KeePass or Dashlane. These password managers add functionality, and may install as browser extensions or desktop programs.
Research from Princeton's Center for Information Technology Policy suggest that newly discovered web trackers exploit password managers to track users.
The tracking scripts exploit a weakness in password managers. What happens is the following according to the researchers:
The following graphic representation visualizes the workflow.
The researchers analyzed two different scripts designed to exploit password managers to get identifiable information about users. The two scripts, AdThink and OnAudience, inject invisible login forms in web pages to retrieve username data that is returned by the browser's password manager.
User tracking is one of the holy grails of online advertising. Companies use the data to create user profiles that record user interests based on a number of factors, for example based on the sites visited -- Sports, Entertainment, Politics, Science -- or from where a user connects to the Internet.
The scripts that the researchers analyzed focus on the username. Nothing is keeping other scripts from pulling password data as well however, something that malicious scripts have tried already in the past.
The researchers analyzed 50,000 websites, and found no traces of password dumping on any of them. They did find the tracking scripts on 1,100 of the top 1 million Alexa websites however.
The following scripts are used:
The Adthink script contains very detailed categories for personal, financial, physical traits, as well as intents, interests and demographics.
The researchers describe the functionality of the script in the following way:
Internet users can check the status of tracking and opt out of the collecting of data on this page.
The OnAudience script is "most commonly present on Polish websites".
Users can install content blockers to block requests to the domains mentioned above. The EasyPrivacy list does that already, but it is easy enough to add the URLs to the blacklist manually.
Another defense is the disabling of login data auto-filling. Firefox users can set the preference about:config?filter=signon.autofillForms to false to disable autofilling.
Is the advertisement publishing industry shoveling its own grave? Invasive tracking scripts are yet another reason for users to install ad and content blockers in web browsers.
Yes, this site has ads as well. I wish there was another option to run an independent site, or a company that would offer native advertisement solutions that run only on the server a site runs on, and does not require third-party connections or use tracking.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.