No boundaries for user identities: Web trackers exploit browser login managers


58 bookmarks. First posted by kohlmannj december 2017.


No boundaries for user identities: Web trackers exploit browser login managers
from twitter
february 2018 by hdrapin
No boundaries for user identities: Web trackers exploit browser login managers
from twitter
january 2018 by brandizzi
Gunes Acar:
<p>We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.

The underlying vulnerability of login managers to credential theft <a href="https://web.archive.org/web/20120605184841/http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/">has been known</a> for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

<img src="https://s3.amazonaws.com/ftt-uploads/wp-content/uploads/2017/12/26232843/Autofill-blog-post2-1024x667.png" width="100%" />

The image above shows the process. First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.</p>


The link above ("has been known") is actually only one of the five offered in that phrase - OK, so I'm lazy about copying all the HTML sometimes. It's a problem though that the most secure way to handle passwords is also so exploitable. So it's back to remembering them all?
browser  security  tracking  privacy 
january 2018 by charlesarthur
digital frontier, written by the Center's faculty, s
panopticon  exfiltration  privacy  tracking  browser  security 
january 2018 by psychemedia
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.
The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.
The image above shows the process. First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
browser  privacy  security  tracking  advertising  scripts  passwords 
january 2018 by rgl7194
This seems bad, and points to a major issue "It is clear that the Same-Origin Policy is a poor fit for trust relationships on the web today, and that other security defenses would help. But there is another dilemma for browser vendors: should they defend against this and other similar vulnerabilities, or view it as the publisher’s fault for embedding the third party at all?"
privacy  data-dealer  tracking  identity 
january 2018 by jchris
A long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.
technology  security  browser 
january 2018 by atelathehun
Research uncovers why we need to adopt password manager and not rely on the browser.
from twitter
january 2018 by satikusala
"In this second installment of the No Boundaries series, we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites."

https://webtransparency.cs.princeton.edu/no_boundaries/autofill_sites.html
browser  privacy  security 
january 2018 by arsyed
First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The **third-party** script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
security  !publish 
january 2018 by zephyr777
In this second installment of the No Boundaries series , we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party…
from instapaper
january 2018 by jamies
Web Trackers Are Exploiting Browser Login Managers
from twitter
january 2018 by matthurst
Web Trackers Are Exploiting Browser Login Managers
ifttt  feedbin 
january 2018 by mgacy
via Feedbin Starred Entries for joewiz@gmail.com
IFTTT  Feedbin  Starred  Entries  for  joewiz@gmail.com 
january 2018 by joewiz
“Many of the ads you see on legitimate websites today are effectively malware.” (via )
from twitter
january 2018 by transposition
from Daring Fireball

Gunes Acar, Steven Englehardt, and Arvind Narayanan:

First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.

You can test the attack yourself on our live demo page.

Once again I say: the web would be better off if browsers had never added support for scripting. Many of the ads you see on legitimate websites today are effectively malware.

 ★ 
ifttt  daringfireball 
january 2018 by josephschmitt
Gunes Acar, Steven Englehardt, and Arvind Narayanan:

First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.

You can test the attack yourself on our live demo page.

Once again I say: the web would be better off if browsers had never added support for scripting. Many of the ads you see on legitimate websites today are effectively malware.

 ★ 
via:daringfireball 
january 2018 by rufous
...a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.
january 2018 by SecurityFeed
In this second installment of the No Boundaries series , we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party…
from instapaper
january 2018 by wakemp
In this second installment of the No Boundaries series, we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.
january 2018 by pitiphong_p
No boundaries for user identities: Web trackers exploit browser login managers
from twitter
january 2018 by blackthorne
Safari password manager used to track you, even with tracking blocked
loopinsight  spike 
january 2018 by edan
How third-party scripts on websites exploit a flaw in browsers' built-in password managers to identify and track users
january 2018 by joeo10
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking. The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers. We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to one or more third-party servers. Why does the attack work? All major browsers have built-in login managers that save and automatically fill in username and password data to make the login experience more seamless. The set of heuristics used to determine which login forms will be autofilled varies by browser, but the basic requirement is that a username and password field be available. The simplest defense is to allow users to disable login autofill. For instance, the Firefox preference signon.autofillForms can be set to false to disable autofilling of credentials.
freedom to tinker, 27.12.2017
itsicherheit_authentisierung_passwort  itsicherheit_software_browser  software_passwort_manager  software_javascript  überwachung_internet_tracking  überwachung_identifizierung_itk_nutzer  itsicherheit_by_obscurity  uni_us_princeton  itsicherheit_strategie  itsicherheit_exploit_flaw 
december 2017 by kraven
RT : No boundaries for user identities: Web trackers exploit browser login managers
"a long-kno…
from twitter
december 2017 by oli
In this second installment of the No Boundaries series , we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party…
from instapaper
december 2017 by hiroprot
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login …
privacy  security  tracking  PrivacyKit 
december 2017 by loughlin
RT : No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter
december 2017 by jace
RT : No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter
december 2017 by mcguinness
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.

The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

The image above shows the process. First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
security  privacy  netnarr  ds206 
december 2017 by cogdog
RT : No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter
december 2017 by bowbrick
No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter_favs
december 2017 by dermotcasey
No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter_favs
december 2017 by kohlmannj
No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter_favs
december 2017 by AramZS