Password Managers can be exploited using Web Trackers

Password Managers exploited

Password Managers exploited using web trackers. This type of abusive conduct is possible because of a configuration flaw in the login handlers included with all browsers, login managers that allow browsers to memorize a user’s username and password for particular sites and auto-insert it in login fields when the user revisits that site again.

Password Managers exploited

Experts say that web trackers can install hidden login forms on sites anywhere the tracking scripts are loaded. Because of the way the login handler’s work, the browser will fill these fields with the user’s login information, such as username and passwords.

Password Managers exploited using web trackers. The trick is an old one, identified for more than a decade, but until now it’s only been employed by hackers trying to collect login data during XSS (cross-site scripting) attacks.

Princeton researchers say they later found two web tracking settings that utilize hidden login forms to get login information.

Fortunately, none of the two services received password information, but only the user’s username or email address depending on what each area uses for the login process.

The two services are Adthink and On Audience, and Princeton researchers said they recognized scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.

In this particular case, the two corporations were extracting the username/email from the login field, creating a hash, and tieing that hash with the site visitor’s existing advocacy profile.

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user’s email address will essentially never change clearing cookies, using private browsing mode, or switching devices won’t stop tracking. The hash of an email address can be used to attach the pieces of an online profile scattered across different browsers, devices, and mobile apps.

Researchers from the Princeton Center for Information Technology Policy (CITP) also produced a demo page that users can test using false credentials and see if their browser’s login supervisor fills in the hidden field.


Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you