Your logins can be exposed to crawlers because of the browser
Researchers at Princeton University’s Center for Information Technology Policy, who a little over a month ago revealed that some of the world’s most important websites record what is done in them, have published a second installment of their series on information extractions personal. This time they put the accent on the worrying use of a known vulnerability of password managers integrated in browsers.
This is, according to his statements, the first investigation to demonstrate that the logon managers are being exploited by third-party web crawlers in order to improve their tracking by retrieving and filtering user identifiers without them noticing.
The inquiries of these experts should warn us about the possibility that advertising and analytics companies may be secretly extracting user names from browsers using hidden login fields for them, linking unauthenticated users who visit a portal with their accounts in that place.
A known and reused vulnerability
The vulnerability of these credential managers is at least five years old, with articles and comments in forums talking about it since 2012, when it essentially worried about the possibility of extracting passwords in XSS attacks, ignoring the underlying privacy problem.
Because of the 50,000 sites analyzed by the Princeton researchers, none stole passwords by this method, but they do extract email addresses to build tracking identifications with which to track their users.
The method they follow is simple. Based on the fact that a user has filled out a login form for a website and has asked the browser to save the data, in other pages of the same website a third party tracking script embeds an invisible login form that is automatically completed by the browser manager. With the user’s data, a nickname or an email address, a hash is created that can be linked to it.
It should be noted that this only happens within a specific domain with the credentials saved for that particular domain, so it is not possible to access the credentials saved from other websites.
“The elimination of cookies, the use of private browsing mode or the change of devices will not prevent tracking” and, in addition, “can be used to connect the pieces of an online profile scattered by different browsers, devices and mobile applications” , the researchers say.
Anyone can verify the vulnerability, introducing and reminding the browser false credentials, through this demo page created by the privacy specialists of the Center for Information Technology Policy of Princeton University.
Thanks to the test page we have seen how Chrome, Firefox, Edge and Opera seem to be vulnerable to this type of information extraction using a hidden form. However, it should be noted that the two browsers based on Chromium, Chrome and Opera, only provide the web crawler with the password data if a click is made on the page.
So far, researchers have only detected this practice in two services found in 1,110 sites of the list of the million most important websites according to Alexa.