Your web browser's password manager is helping ad companies track you across the web

There are a few things you'll hear in every conversation about internet security; one of the first ones would be to use a password manager. I've said it, most of my coworkers have said it, and chances are you've said it while helping someone else sort out ways to keep their data safe and sound. It's still good advice, but a recent study from Princeton University's Center for Information Technology Policy has found that the password manager in your web browser you might use to keep your information private is also helping ad companies track you across the web.

It's a frightening scenario from all sides, mostly because it's not going to be easy to fix. What's happening isn't the stealing of any credentials — an ad company doesn't want your username and password — but the behavior a password manager uses is being exploited in a very simple way. An ad company places a script on a page (two called out by name are AdThink and OnAudience) that acts as a login form. It's not a real login form, as in it's not going to connect you to any service, it's "just" a login script.

When your password manager sees a login form, it enters a username. Browsers tested were: Firefox, Chrome, Internet Explorer, Edge, and Safari. Chrome, for example, will not enter the password until the user interacts with the form, but it enters a username automatically. That's fine because that is all the script wants or needs. Other browsers behaved the same, as expected.

Once your username is entered, it and your browser ID are hashed into a unique identifier. You don't need to save anything on your computer or phone because the next time you visit a site that is using the same ad company you get another script acting as a login form and your username is once again entered. The data is compared to what's on file, and et voilà a unique identifier has been attached to you and can be (and is being) used to track you across the web. And this works because this is expected and "trusted" behavior. Besides a roadmap of your internet habits, data found to be attached to this UUID also includes browser plugins, MIME types, screen dimensions, language, timezone information, user agent string, OS information, and CPU information.

The set of heuristics used to determine which login forms will be autofilled varies by browser, but the basic requirement is that a username and password field be available

It works because of what's known as the Same Origin Policy. When content from two different sources is presented it is not to be trusted, but once a source is trusted all content for the current session is also trusted (trust in this sense means you're purposefully viewing or interacting with the content). You've directed your browser to a webpage and interacted with a login form on that page, so it's all treated as being trusted while you're on the page. In this case, though, the script was embedded into a page but is actually from a different source and shouldn't be trusted until you've clicked or interacted in some way to show you intended to be there.

If the offending page elements were embedded in an iframe or another method that matches the source and destination of the data, the automatic-ness of this exploit (and yes, I'll call it an exploit) wouldn't work.

A list of known sites embedding scripts that abuse login manager for tracking

There's a very good chance that the web publishers using ad services that exploit this behavior have no idea of what's happening to their users. While that doesn't exempt them from responsibility it is ultimately their product being used to harvest data from users without their knowledge, and that should make every site administrator concerned (and possibly very irate). As a user, there's not much we can do other than follow the same "incognito" web browsing practices used when we want to stay a little more private on the web. That means to block all scripts, block all ads, save no data, accept no cookies and basically treat each web session as its own sandbox.

The only true fix is to change the way password managers work through the browser — both built-in tools and extensions or other plugins. Arvind Narayanan, one of the professors who worked on the project, puts it succinctly:

It won't be easy to fix, but it's worth doing

Google, Microsoft, Apple, and Mozilla all shaped the web into what it is today, and they are capable of changing things to meet new issues. Hopefully, this is on the short list of changes.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.