Automatic autofill of credentials, is it really safe?
Category : Blog
Automatic autofill of credentials, is it really safe? Nowadays, Trackers found silently grabbing your information as you surf the web.
Is your browser’s built-in login manager leaking your username (and possibly your password too)?
Researchers at Princeton’s Centre for Information Technology Policy have uncovered two third-party tracking scripts that can scoop up information provided by your browser’s login manager to create a persistent identifier tracking you as you move between web pages.
Here’s how it happens:
- You visit a webpage and fill out a login form. Your browser asks you if you want to save the login details.
- Later, you visit a different page on the same website, which includes the third-party tracking script. The tracking script inserts a login form that is invisible to the naked eye onto the webpage, and your browser’s password manager automatically fills in your credentials.
- The third-party script snaffles up your email address from the invisible form’s field and sends a hash to a third-party server.
Fed up with Automatic autofill of credentials? What’s the solution? Simple. Don’t use a login manager that autofill’s forms without you giving it explicit permission to do so. You might be wiser using a product like 1Password, whose developers confirmed was designed to always insist on user approval before filling forms.
If you allow your browser to automatically submit your username and password into forms silently and invisibly, there is always the danger that a malicious site or script may steal the information.
The two scripts spotted by the Princeton researchers – Ad Think and On Audience – appear to have been designed to grab hashed usernames to identify web visitors for ad-tracking purposes, but there is no technical reason why the same approach couldn’t also be used to steal auto filled passwords.
The researchers have built an online demo, where you can test whether you might be vulnerable.
It should go without saying – don’t enter real credentials on that demo page!
Most Popular Training Courses at Indian Cyber Security Solutions