Fast & Privacy-Focused DNS by Cloud Flare

Advertisement

How Web Trackers are able to Exploit Password Managers

Majority of the web browsers out there come with a built-in password manager. It is a basic tool which is used to save the login data to a database and it fills out the forms automatically using that information.

Users that look for more functionality tend to use third-party password managers. Princeton Center for Information Technology Policy published a research in which they suggested that many new web trackers actually exploit password managers in order to track users.

A weakness in password managers is exploited by the tracking scripts as mentioned below.

• The user would have data saved on password managers when registering an account on a website.
• Third-party sites would be run by the tracking script. Whenever the site is visited by the user, the login forms would be entered invisibly.
• The password manager of the browser would fill out the information.
• The script would detect all the information and send it to third-party servers which would track the user.

Two different scripts were designed by the researchers to analyze and exploit password managers to get information about the users. On Audience - and - Ad Think - were the two scripts which injected the login information and retrieved the username data. Hashes are computed by the script and sent to third-party servers, where they would be used to track users. In online advertising, user tracking is vital. The username is focused by the researchers; 50,000 websites had been analyzed by the researchers and no traces of password dumping had been found on any of them.

a. Ad Think

The script consists of very detailed categories for physical traits, financial, personal and more. The functionality of the script is described as follows.

• Email address is read by the script and it sends SHA2456, SHA1 and MD5 hashes to secure.audiencesights.net.
• The MD5 hash request of the email address is sent to Acxiom which is a data broker.

b. On Audience

It is most commonly present for Polish websites.

• An MD5 hash of email addresses is computed by the script as well as other browser data such as fingerprints, etc.
• Another hash is also generated which is based on the data.

Protection from Login forms of Web Tracking

Content blockers can be installed by users to block requests to the domains as mentioned above. Easy Privacy addon can be used to do this. However, one can simply add the URLs manually to the blacklist. The login data auto-filing can also be disabled and be used as another defense.

Conclusion

In the world of advertising publishing, there are many lengths which companies would go to in order to track users and get invaluable data. Invasive tracking scripts is a method that users should consider installing content and ad blockers for their web browsers. Whenever one uses a new or different web browser, it is important to learn more about it as well as the websites that they visit to ensure they are protected from password managers being exploited.