Automatic autofill of credentials, is it really safe?

Automatic autofill of credentials

Automatic autofill of credentials, is it really safe? Nowadays, Trackers found silently grabbing your information as you surf the web.

Automatic autofill of credentials

Is your browser’s built-in login manager leaking your username (and possibly your password too)?

Researchers at Princeton’s Centre for Information Technology Policy have uncovered two third-party tracking scripts that can scoop up information provided by your browser’s login manager to create a persistent identifier tracking you as you move between web pages.

Here’s how it happens:

  • You visit a webpage and fill out a login form. Your browser asks you if you want to save the login details.
  • Later, you visit a different page on the same website, which includes the third-party tracking script. The tracking script inserts a login form that is invisible to the naked eye onto the webpage, and your browser’s password manager automatically fills in your credentials.
  • The third-party script snaffles up your email address from the invisible form’s field and sends a hash to a third-party server.

Automatic autofill of credentials

Fed up with Automatic autofill of credentials? What’s the solution? Simple. Don’t use a login manager that autofill’s forms without you giving it explicit permission to do so. You might be wiser using a product like 1Password, whose developers confirmed was designed to always insist on user approval before filling forms.

If you allow your browser to automatically submit your username and password into forms silently and invisibly, there is always the danger that a malicious site or script may steal the information.

The two scripts spotted by the Princeton researchers – Ad Think and On Audience – appear to have been designed to grab hashed usernames to identify web visitors for ad-tracking purposes, but there is no technical reason why the same approach couldn’t also be used to steal auto filled passwords.

The researchers have built an online demo, where you can test whether you might be vulnerable.

It should go without saying – don’t enter real credentials on that demo page!

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you