Your web browser's password manager is helping ad companies track you across the web

There are a few things you'll hear in every conversation about internet security; one of the first ones would be to use a password manager. I've said it, most of my coworkers have said it, and chances are you've said it while helping someone else sort out ways to keep their data safe and sound. It's still good advice, but a recent study from Princeton University's Center for Information Technology Policy has found that the password manager in your web browser you might use to keep your information private is also helping ad companies track you across the web.

It's a frightening scenario from all sides, mostly because it's not going to be easy to fix. What's happening isn't the stealing of any credentials — an ad company doesn't want your username and password — but the behavior a password manager uses is being exploited in a very simple way. An ad company places a script on a page (two called out by name are AdThink and OnAudience) that acts as a login form. It's not a real login form, as in it's not going to connect you to any service, it's "just" a login script.

When your password manager sees a login form, it enters a username. Browsers tested were: Firefox, Chrome, Internet Explorer, Edge, and Safari. Chrome, for example, will not enter the password until the user interacts with the form, but it enters a username automatically. That's fine because that is all the script wants or needs. Other browsers behaved the same, as expected.

Once your username is entered, it and your browser ID are hashed into a unique identifier. You don't need to save anything on your computer or phone because the next time you visit a site that is using the same ad company you get another script acting as a login form and your username is once again entered. The data is compared to what's on file, and et voilà a unique identifier has been attached to you and can be (and is being) used to track you across the web. And this works because this is expected and "trusted" behavior. Besides a roadmap of your internet habits, data found to be attached to this UUID also includes browser plugins, MIME types, screen dimensions, language, timezone information, user agent string, OS information, and CPU information.

The set of heuristics used to determine which login forms will be autofilled varies by browser, but the basic requirement is that a username and password field be available

It works because of what's known as the Same Origin Policy (opens in new tab). When content from two different sources is presented it is not to be trusted, but once a source is trusted all content for the current session is also trusted (trust in this sense means you're purposefully viewing or interacting with the content). You've directed your browser to a webpage and interacted with a login form on that page, so it's all treated as being trusted while you're on the page. In this case, though, the script was embedded into a page but is actually from a different source and shouldn't be trusted until you've clicked or interacted in some way to show you intended to be there.

If the offending page elements were embedded in an iframe or another method that matches the source and destination of the data, the automatic-ness of this exploit (and yes, I'll call it an exploit) wouldn't work.

A list of known sites embedding scripts that abuse login manager for tracking

There's a very good chance that the web publishers using ad services that exploit this behavior have no idea of what's happening to their users. While that doesn't exempt them from responsibility it is ultimately their product being used to harvest data from users without their knowledge, and that should make every site administrator concerned (and possibly very irate). As a user, there's not much we can do other than follow the same "incognito" web browsing practices used when we want to stay a little more private on the web. That means to block all scripts, block all ads, save no data, accept no cookies and basically treat each web session as its own sandbox.

The only true fix is to change the way password managers work through the browser — both built-in tools and extensions or other plugins. Arvind Narayanan, one of the professors who worked on the project, puts it succinctly:

It won't be easy to fix, but it's worth doing

Google, Microsoft, Apple, and Mozilla all shaped the web into what it is today, and they are capable of changing things to meet new issues. Hopefully, this is on the short list of changes.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Sneaky Sneaky Sneaky...
  • > The only true fix is to change the way password managers work through the browser — both built-in tools and extensions or other plugins. 1Password isn't affected by this:
  • Nor LastPass from what I've heard.
  • There is so much money to be made by 1) uniquely identifying users, 2) collecting additional data about those users, 3) serving highly targeting/high price ads to those users. Some companies make money doing all three while others just focus on tracking users and adding additional data about them (this person likes cars, this person lives in NY, this person shops for shoes online, etc etc etc). The more detailed 'profile' a company can build up about a user the more advertisers will pay to target those users because the ads will be that much more effective at generating sales/leads/signups/etc. The Facebook button on the side of this website for example sends your information back to Facebook, even if you dont click on it, allowing Facebook to 1) uniquely identify you, 2) collect information about the kind of content you like, 3) serve highly targeted ads to you. So while this feels creepy and wrong, you're still being tracked in dozens of ways by hundreds (or thousands) of companies you've never heard of just because you visited a news site, blog, or opened your email. Your data is being linked with other data, compiled into huge profiles about you, then packaged, and access to it is sold to other companies you've never heard of so they can combine it with other data or target ads to. Some day, some how, digital advertising is going to have its pants pulled down. There will be a moment when the wrong data is leaked about a politician or celebrity, and everyone is going to look up and realize the problem is much much worse than people think and there are huge players (think Equifax) who have information about us we never knowingly signed up for.
  • Yep We are a commodity. Trading material. Information highway.
  • "The only true fix is to change the way password managers work through the browser — both built-in tools and extensions or other plugins." - Nice scaremongering. Everything I've seen says 3rd party ones are fine. I just see this as another reason I adblock. Can easily block this on my router's hosts file too.
  • From what I can tell this, at some level is a nothing burger unless one has their password manager set to "auto fill" fields with no user confirmation. I use RoboForm and when I come to a site I have my RoboForm set up so that I have to select the login and then fill it in versus have RoboForm automatically fill in the login information when I reach the site. From what I can tell, the only true risk is that if an ad company (or another third party) has a hidden login and password field embedded on a legitimate login page. I think Jerry is one of the best tech bloggers on any of the sites I peruse, however, I think Jerry really dropped the ball on this article as it is short on details and long on fear mongering.
  • "From what I can tell" says it all for me. What do any of us really know about what's going on inside our phones or with every interaction we make online. We're all hooked and there is no escape. Begining with Snowdon and right through to Jerry here today, I think we should at least listen to the warnings and push our politicians to act on our behalf.... If anything can be done?
  • Cool, you go to their site they can track you, this isn't new to us and has existed for years at this point.