Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Trackers Exploit Flaw In Browser Login Managers To Steal Usernames (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain. This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers. Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user's login information, such as username and passwords.

The trick is an old one, known for more than a decade but until now it's only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks. Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information. The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list. A demo page has been created to show how the tracking works.

43 of 76 comments (clear)

  1. This still works? by TheRaven64 · · Score: 1

    I remember reading about this years ago, and was under the impression that this had been fixed by browsers filling the form fields in the UI, but not in the DOM, until the user explicitly selected one of the fields in the same form. There are still some sneaky things you can do (for example, have a 1px by 1px form field so the user submits more information than they think they are submitting), but you can't just grab the data from the form until the user interacts with some part of it.

    --
    I am TheRaven on Soylent News
    1. Re:This still works? by Opportunist · · Score: 1

      It should not be. For exactly the reason the article says, a sensible browser will only start autofilling once you start to interact with a field.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:This still works? by fubarrr · · Score: 1

      But nothing prevents a synthetic event from triggering the filling in any webkit based browser

    3. Re:This still works? by Opportunist · · Score: 2

      If the browser lets the event that triggers the filling be automated, yes. This is the part that must not be possible.

      Again, it's down to the browser, nothing else.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:This still works? by gweihir · · Score: 1

      All the old flaws are coming back, because the younger generation of developers have in general much less of a clue than the ones that created the flaws originally. It is really incredible how utterly clueless many developers are today when it comes to security.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:This still works? by VeryFluffyBunny · · Score: 1

      You mean like interacting with a keyword search or clicking on a preference tick box? The rest of the form would be invisible and auto-filled.

      I never let browsers store any of my login information. I take my laptop out and about a lot so I assume that it'll get lost or stolen sooner or later (luckily hasn't happened yet). Imagine losing your laptop with easily find-able passwords on it?

      I always use a separate, local, encrypted password manager and copy and paste the credentials across, then the paste-board automatically wipes. Using a password manager also means that I use the longest, strongest possible passwords and I can easily backup the encrypted password database.

      --
      Debate is a form of harassment. Do not question my truth.
  2. Want to take bets? by Opportunist · · Score: 1

    My crystal ball tells me we'll hear about a surefire way to block those ad services in no later than 10 postings, 20 tops.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Want to take bets? by Anonymous Coward · · Score: 2, Funny

      turn off the computer ;)

    2. Re:Want to take bets? by mrbester · · Score: 1

      I would, but it hasn't told me it is safe to do so yet.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  3. Good news by fennec · · Score: 4, Informative

    I just tested and it does not work with Lastpass (on Chrome)

    1. Re:Good news by Erik+Hensema · · Score: 1

      Indeed. It however does work when you manually tell LastPass to fill a password. But nothing in the UI prompts you to do so, so I consider this safe behavior.

      --

      This is your sig. There are thousands more, but this one is yours.

    2. Re: Good news by Anonymous Coward · · Score: 1

      Chrome FIX
      enable chrome://flags/#fill-on-account-select

    3. Re:Good news by Carcass666 · · Score: 1

      Ditto on LastPass and Firefox Developer (although, to be hones, LastPass on Firefox Quantum only seems to work 3/4 of the time anyway...)

    4. Re:Good news by AmiMoJo · · Score: 1

      Doesn't work in Chrome full stop. Chrome doesn't auto-fill if any script on the page can read the login form, it waits for the user to start typing in the field. Same with credit card auto fill.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Good news by KingMotley · · Score: 1

      Not sure you actually tried it. I just did with Version 63.0.3239.84 (Official Build) (64-bit), and it immediately pulled the username, and as soon as I clicked on anything on the page it also grabbed the password.

    6. Re:Good news by ragahast · · Score: 1

      Indeed. It however does work when you manually tell LastPass to fill a password. But nothing in the UI prompts you to do so, so I consider this safe behavior.

      The important thing is what happens if there is a real login field and the third party fields are hidden.

      It looks like the only safe way to use LastPass is copy-and-paste. Which, in retrospect, makes sense.

      --
      .:Semper Absurda:.
    7. Re: Good news by khandom08 · · Score: 1

      Indeed it does :)

    8. Re:Good news by AlejandroTejadaC · · Score: 1

      This exploit does not works either with Private Windows on Firefox... but actually does works with Firefox Public Windows. Should we use only Firefox's Private windows from now on?

    9. Re:Good news by bingoUV · · Score: 1

      In OSes and individual applications that might be in focus : clipboard stealing attacks commonly keep getting found, published, occasionally fixed. So you need to track a lot of vulnerabilities if you use copy and paste.

      --
      Bingo Dictionary - Pragmatist, n. A myopic idealist.
  4. Russians are evil by WCMI92 · · Score: 1

    So are advertisers. They have no morals, just like marketing graduates...

    --
    Corporatism != Free Market
  5. advertising is a crime by mapkinase · · Score: 1

    Go to Kinkos, laminate and hang it in your all.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  6. This is not "abuse" by klingens · · Score: 5, Insightful

    This is simply outright what is colloquially known as "hacking". Which is why the CFAA needs to be applied. Why haven't these researchers told their AG?
    After all, when normal users find a unsecured database by some corporation and access it, they get sued too. Same standard here applies, and this time the culprits even use a documented security hole, meaning the crime is wholly willful.

    1. Re:This is not "abuse" by Anonymous Coward · · Score: 1

      And the corporations even being located where they can be held responsible. Nice.

  7. NoScript by evanh · · Score: 1

    for the win! :)

    1. Re:NoScript by sound+vision · · Score: 1

      How current are we talking? Because I did an OS wipe around 3 weeks ago, used whatever the default installer on Mozilla's site is, and let it update itself using all the default settings, and NoScript works here. I do recall reading something last month about there briefly being no version of NoScript that would run on the latest Firefox, but whatever that was, it appears to be fixed.

  8. iOS with Purify blocking scripts by default by 93+Escort+Wagon · · Score: 1

    Seems to prevent it from working. But another browser (Safari on OS X) which doesn’t block scripts by default gave up the credentials.

    So I guess the solution is NoScript or the equivalent.

    --
    #DeleteChrome
  9. Firefox : pull-down menu by DrYak · · Score: 1

    I remember reading about this years ago, and was under the impression that this had been fixed by browsers filling the form fields in the UI, but not in the DOM, until the user explicitly selected one of the fields in the same form.

    That's the case in Firefox :
    - you need to click on either the username or password field to get a pull-down menu that gives you information about the login, and gives you a selection of passwords saved in the manager.

    Also, with most browsers you get extensions like Block Origin, AdBlock Plus, etc. which are going to block most common advertisers.

    And extensions such as Privacy Badger which is going to block most common tracker.

    And specifically in Firefox (because it requires to either have the new additional extensions that they've added to web extensions to enable this kind of software in the latest firefox, or to have the XUL API in the long term support version) you can also have NoScript, which is going to block all non-explicitely-authorised JavaScript (so tracker missed by the blacklists of UBO, ADP, etc. are blocked anyway), and provides additional alerts against cross site scripting (XSS).

    Remember: just as you never fuck without condom, you never surf without your security extensions.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Firefox : pull-down menu by houghi · · Score: 1

      Firefox 52.5.0 (64-bit)
      Fill out username and pass and remember it. It shows username and pass.
      Redo it and add a new username and/or pass and it will see nothing.
      Remove one of the two and it will show username and pass.
      I deleted the first one. So it did not show the second one when there where two passwords, but did so when only one was available.

      I already have different blockers and trackers, so I installed Privacy Badger. Well, guess what? There was no difference.

      Remember: you still get can get fucked against your will without a condom.

      --
      Don't fight for your country, if your country does not fight for you.
  10. Re:Good News! by Anonymous Coward · · Score: 1

    unless you actively tell it to populate the web page.

    So, like, wiggle your leg at the same time you tell it to populate the web page?

  11. Pi-hole or ublock when travelling FTW by wbr1 · · Score: 1
    https://pi-hole.net/

    pi-hole that shit.

    --
    Silence is a state of mime.
  12. all i want to know is ... by Anonymous Coward · · Score: 2, Interesting

    are the CEO's arrested yet?
    company assets seized?

    if not, when will this happen?

    1. Re: all i want to know is ... by GameboyRMH · · Score: 1

      Came here to say this, If these ad companies were harvesting passwords, the punishments need to be dire. People need to go to jail, people at the top.

      Also, I've always thought that browser-integrated password managers were an inherently terrible idea due to the potential for exploits like this, so it's good to be proven right again.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  13. Who uses autocomplete? by jbmartin6 · · Score: 1

    More and more, the only defense is don't use it and don't have it.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  14. Safari affected, too by Rick+Zeman · · Score: 1

    So I wonder how the companies can justify this? I can't think of any compelling legal reason to get users' login information.

    1. Re:Safari affected, too by Fringe · · Score: 1

      I'm not sure you know the meaning of the word "compelling". Or perhaps "legal". It may not seem ethical, but what they're doing is using another bit of data you are voluntarily (by virtue of your chosen browser settings) providing to "fingerprint" you. It is a bit worse than IP Address or cookie tracking, or way back when mobile phones included a device identifier in the header, but only barely.

      So why is it compelling? Because their revenue is based on tracking and monetizing your interests.

      Why is it legal? Because there's no law against it.

  15. Hosts files ftw by Anonymous Coward · · Score: 1

    0.0.0.0 audienceinsights.net
    0.0.0.0 behavioralengine.com

  16. It does so work against Chrome... by Fringe · · Score: 1

    I just tried it with Chrome 63.0.3239.108; it retrieved the username immediately.

  17. Re:The weakest link in the chain, yada-yada... by jabuzz · · Score: 1

    The problem is when you accidentally miss click and the dam thing then remembers your password. Then you have to mess about making it forget that you put a password in.

  18. Why does the first-party need this? by ragahast · · Score: 1
    From TFA:

    Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

    Why would the first party need to steal my email address / username? I just used it to log in to their site!

    --
    .:Semper Absurda:.
    1. Re:Why does the first-party need this? by ragahast · · Score: 1

      I guess it only says "embedded by" so they may not be aware, or may be complicit in allowing the third-party to also get this information.

      --
      .:Semper Absurda:.
  19. Firefox not vulnerable? by JThundley · · Score: 1

    I don't think Firefox is vulnerable to this because it requires you to click in the field to fill your credentials first.

  20. Yet another reason... by Macdude · · Score: 1

    I'll just add this as yet another reason to use an ad blocker, a JavaScript blocker and not use a login manager.

    --
    "Grab them by the pussy" -- President of the United States of America
  21. Re:America is truely f*cked. Wake up!! by Anonymous Coward · · Score: 1

    BORING.