No boundaries for user identities: Web trackers exploit browser login managers


54 bookmarks. First posted by kohlmannj 25 days ago.


No boundaries for user identities: Web trackers exploit browser login managers
from twitter
10 days ago by brandizzi
Gunes Acar:
<p>We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.

The underlying vulnerability of login managers to credential theft <a href="https://web.archive.org/web/20120605184841/http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/">has been known</a> for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

<img src="https://s3.amazonaws.com/ftt-uploads/wp-content/uploads/2017/12/26232843/Autofill-blog-post2-1024x667.png" width="100%" />

The image above shows the process. First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.</p>


The link above ("has been known") is actually only one of the five offered in that phrase - OK, so I'm lazy about copying all the HTML sometimes. It's a problem though that the most secure way to handle passwords is also so exploitable. So it's back to remembering them all?
browser  security  tracking  privacy 
12 days ago by charlesarthur
digital frontier, written by the Center's faculty, s
panopticon  exfiltration  privacy  tracking  browser  security 
13 days ago by psychemedia
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.
The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.
The image above shows the process. First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
browser  privacy  security  tracking  advertising  scripts  passwords 
14 days ago by rgl7194
This seems bad, and points to a major issue "It is clear that the Same-Origin Policy is a poor fit for trust relationships on the web today, and that other security defenses would help. But there is another dilemma for browser vendors: should they defend against this and other similar vulnerabilities, or view it as the publisher’s fault for embedding the third party at all?"
privacy  data-dealer  tracking  identity 
15 days ago by jchris
A long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.
technology  security  browser 
16 days ago by atelathehun
Research uncovers why we need to adopt password manager and not rely on the browser.
from twitter
17 days ago by satikusala
"In this second installment of the No Boundaries series, we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites."

https://webtransparency.cs.princeton.edu/no_boundaries/autofill_sites.html
browser  privacy  security 
17 days ago by arsyed
First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The **third-party** script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
security  !publish 
18 days ago by zephyr777
In this second installment of the No Boundaries series , we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party…
from instapaper
18 days ago by jamies
Web Trackers Are Exploiting Browser Login Managers
from twitter
18 days ago by matthurst
Web Trackers Are Exploiting Browser Login Managers
ifttt  feedbin 
18 days ago by mgacy
via Feedbin Starred Entries for joewiz@gmail.com
IFTTT  Feedbin  Starred  Entries  for  joewiz@gmail.com 
19 days ago by joewiz
“Many of the ads you see on legitimate websites today are effectively malware.” (via )
from twitter
19 days ago by transposition
from Daring Fireball

Gunes Acar, Steven Englehardt, and Arvind Narayanan:

First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.

You can test the attack yourself on our live demo page.

Once again I say: the web would be better off if browsers had never added support for scripting. Many of the ads you see on legitimate websites today are effectively malware.

 ★ 
ifttt  daringfireball 
19 days ago by josephschmitt
Gunes Acar, Steven Englehardt, and Arvind Narayanan:

First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.

You can test the attack yourself on our live demo page.

Once again I say: the web would be better off if browsers had never added support for scripting. Many of the ads you see on legitimate websites today are effectively malware.

 ★ 
via:daringfireball 
19 days ago by rufous
...a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.
19 days ago by SecurityFeed
In this second installment of the No Boundaries series , we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party…
from instapaper
19 days ago by wakemp
In this second installment of the No Boundaries series, we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites.
19 days ago by pitiphong_p
No boundaries for user identities: Web trackers exploit browser login managers
from twitter
19 days ago by blackthorne
Safari password manager used to track you, even with tracking blocked
loopinsight  spike 
19 days ago by edan
How third-party scripts on websites exploit a flaw in browsers' built-in password managers to identify and track users
19 days ago by joeo10
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking. The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers. We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to one or more third-party servers. Why does the attack work? All major browsers have built-in login managers that save and automatically fill in username and password data to make the login experience more seamless. The set of heuristics used to determine which login forms will be autofilled varies by browser, but the basic requirement is that a username and password field be available. The simplest defense is to allow users to disable login autofill. For instance, the Firefox preference signon.autofillForms can be set to false to disable autofilling of credentials.
freedom to tinker, 27.12.2017
itsicherheit_authentisierung_passwort  itsicherheit_software_browser  software_passwort_manager  software_javascript  überwachung_internet_tracking  überwachung_identifizierung_itk_nutzer  itsicherheit_by_obscurity  uni_us_princeton  itsicherheit_strategie  itsicherheit_exploit_flaw 
23 days ago by kraven
RT : No boundaries for user identities: Web trackers exploit browser login managers
"a long-kno…
from twitter
23 days ago by oli
In this second installment of the No Boundaries series , we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party…
from instapaper
24 days ago by hiroprot
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login …
privacy  security  tracking  PrivacyKit 
24 days ago by loughlin
RT : No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter
24 days ago by jace
RT : No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter
24 days ago by mcguinness
We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.

The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

The image above shows the process. First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page [1]. Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
security  privacy  netnarr  ds206 
25 days ago by cogdog
RT : No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter
25 days ago by bowbrick
No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter_favs
25 days ago by dermotcasey
No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter_favs
25 days ago by kohlmannj
No boundaries for user identities: Web trackers exploit browser login managers

In the seco…
from twitter_favs
25 days ago by AramZS