Slashdot Mirror
Web Trackers Exploit Flaw In Browser Login Managers To Steal Usernames (bleepingcomputer.com)
An anonymous reader writes: Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain. This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers. Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user's login information, such as username and passwords.
The trick is an old one, known for more than a decade but until now it's only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks. Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information. The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list. A demo page has been created to show how the tracking works.
The trick is an old one, known for more than a decade but until now it's only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks. Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information. The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list. A demo page has been created to show how the tracking works.
I just tested and it does not work with Lastpass (on Chrome)
turn off the computer ;)
This is simply outright what is colloquially known as "hacking". Which is why the CFAA needs to be applied. Why haven't these researchers told their AG?
After all, when normal users find a unsecured database by some corporation and access it, they get sued too. Same standard here applies, and this time the culprits even use a documented security hole, meaning the crime is wholly willful.
If the browser lets the event that triggers the filling be automated, yes. This is the part that must not be possible.
Again, it's down to the browser, nothing else.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
are the CEO's arrested yet?
company assets seized?
if not, when will this happen?