I don’t know what I’d do without my trusted password manager. Out there, nobody is safe, so that’s why I try to secure each account with individual, hard-to-crack passwords. And I couldn’t possibly remember them all without a password manager. Like me, other people are relying on various apps to keep track of their passwords and fill them in whenever an online authentication is required.
But it turns out password management apps have a chink in their armor. Apparently, advertising companies can pull data from a browser’s password management system, opening up a massive security flaw.
Research from Princeton’s Center for Information Technology Policy explains that certain scripts are designed to steal identifiable information out of browser-based password managers.
To quickly fill in usernames and passwords saved in a password management app like 1Password (see update at the end of this post) and LastPass, you have probably installed browser addons. It’s those tiny browser apps that are targeted by scripts. Here’s how it works:
First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
The scripts then send email address hashes to third parties, and they can use that information to track users. They were found on 1110 of the Alexa top 1 million sites, which doesn’t sound too troubling. But it is. Collecting passwords using the same technology may be next.
Password managers, therefore, should be updated so that ad trackers won’t be able to take advantage of this crucial online security tech. The full article, complete with a video that demos this vulnerability, is available at this link.
UPDATE: Agilebits reached out to BGR to clarify how 1Password handles password fills. The app is purposefully designed so that the user has to take a specific action to trigger a password fill. There are several ways to fill in the username and password, Agilebits explains, but in every case, you have to tell the browser that you want to do it. The app, or the browser extension, won’t do it automatically.
This user interaction is what would stop the data from being automatically added to invisible fields.