Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Trackers Exploit Flaw In Browser Login Managers To Steal Usernames (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain. This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers. Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user's login information, such as username and passwords.

The trick is an old one, known for more than a decade but until now it's only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks. Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information. The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list. A demo page has been created to show how the tracking works.

76 comments

  1. This still works? by TheRaven64 · · Score: 1

    I remember reading about this years ago, and was under the impression that this had been fixed by browsers filling the form fields in the UI, but not in the DOM, until the user explicitly selected one of the fields in the same form. There are still some sneaky things you can do (for example, have a 1px by 1px form field so the user submits more information than they think they are submitting), but you can't just grab the data from the form until the user interacts with some part of it.

    --
    I am TheRaven on Soylent News
    1. Re:This still works? by Opportunist · · Score: 1

      It should not be. For exactly the reason the article says, a sensible browser will only start autofilling once you start to interact with a field.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:This still works? by fubarrr · · Score: 1

      But nothing prevents a synthetic event from triggering the filling in any webkit based browser

    3. Re:This still works? by Opportunist · · Score: 2

      If the browser lets the event that triggers the filling be automated, yes. This is the part that must not be possible.

      Again, it's down to the browser, nothing else.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:This still works? by gweihir · · Score: 1

      All the old flaws are coming back, because the younger generation of developers have in general much less of a clue than the ones that created the flaws originally. It is really incredible how utterly clueless many developers are today when it comes to security.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:This still works? by VeryFluffyBunny · · Score: 1

      You mean like interacting with a keyword search or clicking on a preference tick box? The rest of the form would be invisible and auto-filled.

      I never let browsers store any of my login information. I take my laptop out and about a lot so I assume that it'll get lost or stolen sooner or later (luckily hasn't happened yet). Imagine losing your laptop with easily find-able passwords on it?

      I always use a separate, local, encrypted password manager and copy and paste the credentials across, then the paste-board automatically wipes. Using a password manager also means that I use the longest, strongest possible passwords and I can easily backup the encrypted password database.

      --
      Debate is a form of harassment. Do not question my truth.
  2. Want to take bets? by Opportunist · · Score: 1

    My crystal ball tells me we'll hear about a surefire way to block those ad services in no later than 10 postings, 20 tops.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Want to take bets? by Anonymous Coward · · Score: 2, Funny

      turn off the computer ;)

    2. Re:Want to take bets? by Anonymous Coward · · Score: 0

      Dude, are you trying to summon him?

      Let's all hope He Who Shall Not Be Named got hit by a bus this holiday season.

    3. Re:Want to take bets? by Anonymous Coward · · Score: 0

      Don't use the browser's login manager? (In other words, don't let the browser remember your username/password, and simply retype them every time? If you use a separate password manager, it's part of the process anyway.)

    4. Re:Want to take bets? by mrbester · · Score: 1

      I would, but it hasn't told me it is safe to do so yet.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    5. Re:Want to take bets? by Anonymous Coward · · Score: 0

      Nuts! Beat to the punch...

    6. Re:Want to take bets? by Anonymous Coward · · Score: 0

      The problem is that a lot of browsers automatically store information that you've typed into them by default and can make it a pain to deactivate because clearly we all want possibly sensitive information stored in the browser.

  3. Good news by fennec · · Score: 4, Informative

    I just tested and it does not work with Lastpass (on Chrome)

    1. Re:Good news by Anonymous Coward · · Score: 0

      Also has no chance of working with 1password (FF or Opera).

    2. Re:Good news by Erik+Hensema · · Score: 1

      Indeed. It however does work when you manually tell LastPass to fill a password. But nothing in the UI prompts you to do so, so I consider this safe behavior.

      --

      This is your sig. There are thousands more, but this one is yours.

    3. Re:Good news by Anonymous Coward · · Score: 0

      Tested on Chrome with Chrome's built-in password manager. Works as advertised. *swears terrifiedly*

    4. Re: Good news by Anonymous Coward · · Score: 1

      Chrome FIX
      enable chrome://flags/#fill-on-account-select

    5. Re:Good news by Carcass666 · · Score: 1

      Ditto on LastPass and Firefox Developer (although, to be hones, LastPass on Firefox Quantum only seems to work 3/4 of the time anyway...)

    6. Re:Good news by AmiMoJo · · Score: 1

      Doesn't work in Chrome full stop. Chrome doesn't auto-fill if any script on the page can read the login form, it waits for the user to start typing in the field. Same with credit card auto fill.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Good news by KingMotley · · Score: 1

      Not sure you actually tried it. I just did with Version 63.0.3239.84 (Official Build) (64-bit), and it immediately pulled the username, and as soon as I clicked on anything on the page it also grabbed the password.

    8. Re: Good news by Anonymous Coward · · Score: 0

      This works. Good find. Thanks!

    9. Re:Good news by Anonymous Coward · · Score: 0

      Doesn't work in Chrome full stop. Chrome doesn't auto-fill if any script on the page can read the login form, it waits for the user to start typing in the field. Same with credit card auto fill.

      Check this setting in Chrome:

      chrome://flags/#fill-on-account-select

      On my version of Chrome, it was set to Default which is the same as DISABLED. When I ran the demo test, it was successful in getting my login/pass. You likely have it set to ENABLED. After I set mine to ENABLED, the demo test was unsuccessful.

    10. Re:Good news by ragahast · · Score: 1

      Indeed. It however does work when you manually tell LastPass to fill a password. But nothing in the UI prompts you to do so, so I consider this safe behavior.

      The important thing is what happens if there is a real login field and the third party fields are hidden.

      It looks like the only safe way to use LastPass is copy-and-paste. Which, in retrospect, makes sense.

      --
      .:Semper Absurda:.
    11. Re: Good news by khandom08 · · Score: 1

      Indeed it does :)

    12. Re:Good news by AlejandroTejadaC · · Score: 1

      This exploit does not works either with Private Windows on Firefox... but actually does works with Firefox Public Windows. Should we use only Firefox's Private windows from now on?

    13. Re:Good news by bingoUV · · Score: 1

      In OSes and individual applications that might be in focus : clipboard stealing attacks commonly keep getting found, published, occasionally fixed. So you need to track a lot of vulnerabilities if you use copy and paste.

      --
      Bingo Dictionary - Pragmatist, n. A myopic idealist.
  4. Russians are evil by WCMI92 · · Score: 1

    So are advertisers. They have no morals, just like marketing graduates...

    --
    Corporatism != Free Market
  5. advertising is a crime by mapkinase · · Score: 1

    Go to Kinkos, laminate and hang it in your all.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
    1. Re:advertising is a crime by Anonymous Coward · · Score: 0

      Reminds me of the famous Conan misquote:

      Mongol King: What are the best things in life?

      Conan:
      To crush your enemies.
      To see them driven before you.
      To hear the laminations of their women.

  6. This is not "abuse" by klingens · · Score: 5, Insightful

    This is simply outright what is colloquially known as "hacking". Which is why the CFAA needs to be applied. Why haven't these researchers told their AG?
    After all, when normal users find a unsecured database by some corporation and access it, they get sued too. Same standard here applies, and this time the culprits even use a documented security hole, meaning the crime is wholly willful.

    1. Re:This is not "abuse" by Anonymous Coward · · Score: 1

      And the corporations even being located where they can be held responsible. Nice.

  7. NoScript by evanh · · Score: 1

    for the win! :)

    1. Re:NoScript by jalbarl25 · · Score: 0

      Maybe that's why Mozilla went to great lengths to remove it in the current version

      --
      The technology graveyard is full of zombies (alvinrod)
    2. Re:NoScript by sound+vision · · Score: 1

      How current are we talking? Because I did an OS wipe around 3 weeks ago, used whatever the default installer on Mozilla's site is, and let it update itself using all the default settings, and NoScript works here. I do recall reading something last month about there briefly being no version of NoScript that would run on the latest Firefox, but whatever that was, it appears to be fixed.

    3. Re:NoScript by Anonymous Coward · · Score: 0

      Nice lies Google shill.

  8. iOS with Purify blocking scripts by default by 93+Escort+Wagon · · Score: 1

    Seems to prevent it from working. But another browser (Safari on OS X) which doesn’t block scripts by default gave up the credentials.

    So I guess the solution is NoScript or the equivalent.

    --
    #DeleteChrome
  9. Good News! by Anonymous Coward · · Score: 0

    Doesn't effect 1Password on Firefox, unless you actively tell it to populate the web page.

    1. Re:Good News! by Anonymous Coward · · Score: 1

      unless you actively tell it to populate the web page.

      So, like, wiggle your leg at the same time you tell it to populate the web page?

    2. Re: Good News! by Anonymous Coward · · Score: 0

      Ten pieces of chocolate to anyone who knows

  10. Re:America is truely f*cked. Wake up!! by Anonymous Coward · · Score: 0

    Jesus fuck, this shit is long.

  11. Firefox : pull-down menu by DrYak · · Score: 1

    I remember reading about this years ago, and was under the impression that this had been fixed by browsers filling the form fields in the UI, but not in the DOM, until the user explicitly selected one of the fields in the same form.

    That's the case in Firefox :
    - you need to click on either the username or password field to get a pull-down menu that gives you information about the login, and gives you a selection of passwords saved in the manager.

    Also, with most browsers you get extensions like Block Origin, AdBlock Plus, etc. which are going to block most common advertisers.

    And extensions such as Privacy Badger which is going to block most common tracker.

    And specifically in Firefox (because it requires to either have the new additional extensions that they've added to web extensions to enable this kind of software in the latest firefox, or to have the XUL API in the long term support version) you can also have NoScript, which is going to block all non-explicitely-authorised JavaScript (so tracker missed by the blacklists of UBO, ADP, etc. are blocked anyway), and provides additional alerts against cross site scripting (XSS).

    Remember: just as you never fuck without condom, you never surf without your security extensions.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Firefox : pull-down menu by Anonymous Coward · · Score: 0

      That's the case in Firefox :
      - you need to click on either the username or password field to get a pull-down menu that gives you information about the login, and gives you a selection of passwords saved in the manager.

      I just tried with Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0, and once addons were disabled, it filled data on the demo site on its own. No interaction required. No interaction would be possible with invisible fields anyway.

      Firefox shows a drop-down list if more than 1 username/password is stored.

    2. Re:Firefox : pull-down menu by houghi · · Score: 1

      Firefox 52.5.0 (64-bit)
      Fill out username and pass and remember it. It shows username and pass.
      Redo it and add a new username and/or pass and it will see nothing.
      Remove one of the two and it will show username and pass.
      I deleted the first one. So it did not show the second one when there where two passwords, but did so when only one was available.

      I already have different blockers and trackers, so I installed Privacy Badger. Well, guess what? There was no difference.

      Remember: you still get can get fucked against your will without a condom.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:Firefox : pull-down menu by Anonymous Coward · · Score: 0

      That is why I never store username/password in the browser. One can use external password manager like keepass and just save passwords there. Also prevents my relatives who may use my computer from logging in into any sites that I use. Also if computer gets stolen no login information would be ready available to anyone.
      Security and convenience do not go together, so I personally prefer security.

    4. Re:Firefox : pull-down menu by Anonymous Coward · · Score: 0

      Yeah on HTTPS websites, Firefox does still autofill login forms by default.

      Not on HTTP websites anymore though (signon.autofillForms.http=false by default).

      If you want to prevent login form autofilling completely, even on HTTPS websites, use signon.autofillForms=false

  12. Russians and advertisers by Anonymous Coward · · Score: 0

    The worst part is that browser development is mainly financed by advertisers. When the other side is against you, that's bad. But when you have the enemy implanted in your home, you've lost.

    Yes, Firefox. I believe them to have the best intentions (as opposed to the other browser makers, don't tell me that Chrome or Safari or what's-Microsoft's-browser-called-this-week cater more to you or me than to their maker!), but their world view might be slightly... skewed.

  13. Don't use CORS, get fucked by Anonymous Coward · · Score: 0

    Blame your incompetent webmaster for the website miss configuration and lack of CORS headers.

    1. Re: Don't use CORS, get fucked by Anonymous Coward · · Score: 0

      I donâ(TM)t think CORS would help here. I believe that CORS stops malicious site A from posting things to site B.

      In this case malicious site a is being loaded by B and then posting to itself.

      Please clarify if I am mistaken.

    2. Re: Don't use CORS, get fucked by Anonymous Coward · · Score: 0

      My bad, I mixed up my acronyms, I mean CSP/XFrameOptions

      https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

  14. Pi-hole or ublock when travelling FTW by wbr1 · · Score: 1
    https://pi-hole.net/

    pi-hole that shit.

    --
    Silence is a state of mime.
  15. Re: America is truely f*cked. Wake up!! by Anonymous Coward · · Score: 0

    -1, so didn't see it.

  16. all i want to know is ... by Anonymous Coward · · Score: 2, Interesting

    are the CEO's arrested yet?
    company assets seized?

    if not, when will this happen?

    1. Re: all i want to know is ... by GameboyRMH · · Score: 1

      Came here to say this, If these ad companies were harvesting passwords, the punishments need to be dire. People need to go to jail, people at the top.

      Also, I've always thought that browser-integrated password managers were an inherently terrible idea due to the potential for exploits like this, so it's good to be proven right again.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re: all i want to know is ... by Anonymous Coward · · Score: 0

      In order for anybody from the police to do anything somebody has to make a report. Since Cloud Technologies, the parent company, is based in Poland that would be to GIODO for privacy issues and your local police for hacking as well as to other European data protection agencies.

  17. Chrome FIX by Anonymous Coward · · Score: 0

    enable chrome://flags/#fill-on-account-select

  18. Who uses autocomplete? by jbmartin6 · · Score: 1

    More and more, the only defense is don't use it and don't have it.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Who uses autocomplete? by Anonymous Coward · · Score: 0

      This! Why does anybody use the browser autofill? That has been a vulnerability since day 1. At least, set a master password that has to be entered before anything is done, but the better way is to use a separate password manager like Keepass, then copy things from that to the login fields that are actually displayed. The only downside to that is that I've found a couple of sites (they're very rare) where you can't paste something into the password field - annoying, but probably safer if you have to actually press keys to do it. Keep the browser itself (where the script hacks live) in the dark as to your credentials.

      Yes, I'm sure the (supposedly secured) password collection displays can also be hacked. Entire websites have been cloned and redirected in the past and will continue to be. Hacking is a lucrative "business." But not storing things in the browser itself is still a good idea, as is making the transfer process manual.

  19. Safari affected, too by Rick+Zeman · · Score: 1

    So I wonder how the companies can justify this? I can't think of any compelling legal reason to get users' login information.

    1. Re:Safari affected, too by Fringe · · Score: 1

      I'm not sure you know the meaning of the word "compelling". Or perhaps "legal". It may not seem ethical, but what they're doing is using another bit of data you are voluntarily (by virtue of your chosen browser settings) providing to "fingerprint" you. It is a bit worse than IP Address or cookie tracking, or way back when mobile phones included a device identifier in the header, but only barely.

      So why is it compelling? Because their revenue is based on tracking and monetizing your interests.

      Why is it legal? Because there's no law against it.

    2. Re:Safari affected, too by Anonymous Coward · · Score: 0

      It may not seem ethical, but what they're doing is using another bit of data you are voluntarily (by virtue of your chosen browser settings) providing to "fingerprint" you. It is a bit worse than IP Address or cookie tracking, or way back when mobile phones included a device identifier in the header, but only barely.

      By your logic, it is merely "unethical" to collect every keystroke from a user who "volunteers" by leaving JavaScript enabled.

  20. People are still loading web trackers? by Anonymous Coward · · Score: 0

    In 2017-almost-2018?

    Why? Haven't we learned this lesson by now? Seriously, why would you let your computer load web trackers? What's in it for you?

  21. Hosts files ftw by Anonymous Coward · · Score: 1

    0.0.0.0 audienceinsights.net
    0.0.0.0 behavioralengine.com

  22. It does so work against Chrome... by Fringe · · Score: 1

    I just tried it with Chrome 63.0.3239.108; it retrieved the username immediately.

  23. bad websites are the problem by Anonymous Coward · · Score: 0

    You can't stop a bad website from leaking the information you trust them with. they are responsible for the scripts they use on their sites.

    In the mean time, a password box should prevent javascript from reading it's value until javascript sets a value. Just follow the same behavior of style properties in DOM not matching their CSS until set by javascript. That would reduce password leaking for badly secured websites.

    Anything else shouldn't be done. it's the website's fault. the browser can't protect them from themselves completely.

    We've needed better efforts for authentication for a long time; we need some new standards. certificate logins for example... signed by each website, kept secret on the browser pw manager; never completely disclosed.

  24. The weakest link in the chain, yada-yada... by Anonymous Coward · · Score: 0

    > a design flaw in the login managers included with all browsers.

    That annoying prompt that asks you whether you want the browser to remember the login name and password, or auto-fill forms? I never allow any browser to do that. Ever.

    I also don't use any browser plugin-based password manager. It's been well established that new exploits are being found in browsers all the time (all of them), therefore running your password manager in the same process space as the browser itself means you're always just one buffer overflow away from getting your data accessed in some unintentional way. Even if the plugin itself is pretty much bullet-proof.

    I do use a password manager. But it's not connected to a browser in any way, shape or form.

    1. Re:The weakest link in the chain, yada-yada... by jabuzz · · Score: 1

      The problem is when you accidentally miss click and the dam thing then remembers your password. Then you have to mess about making it forget that you put a password in.

  25. Why does the first-party need this? by ragahast · · Score: 1
    From TFA:

    Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

    Why would the first party need to steal my email address / username? I just used it to log in to their site!

    --
    .:Semper Absurda:.
    1. Re:Why does the first-party need this? by ragahast · · Score: 1

      I guess it only says "embedded by" so they may not be aware, or may be complicit in allowing the third-party to also get this information.

      --
      .:Semper Absurda:.
  26. Firefox not vulnerable? by JThundley · · Score: 1

    I don't think Firefox is vulnerable to this because it requires you to click in the field to fill your credentials first.

  27. Re: America is truely f*cked. Wake up!! by Anonymous Coward · · Score: 0

    So, let's get down to the real reason for your post....who would win in a fatal 4 death match, God vs Jesus vs Alex Jones vs the poster.

    Place your bets, mines on Alex jones.

  28. well by Anonymous Coward · · Score: 0

    using a horrifyingly deformed, homemade version of firefox, with some code from 3.0.17 (last somewhat normal version imo) and backported security patches here.

    the test site sorta kinda works.. after enabling the external test site in the requestpolicy and allowing its encryption cert to be used manually and allowing it to run inline js

    Wake me up when this thing is possible without js. If it's js and SSL dependent, who cares.

  29. Yet another reason... by Macdude · · Score: 1

    I'll just add this as yet another reason to use an ad blocker, a JavaScript blocker and not use a login manager.

    --
    "Grab them by the pussy" -- President of the United States of America
  30. Re:America is truely f*cked. Wake up!! by Anonymous Coward · · Score: 1

    BORING.