Built-in login managers are a security sieve -- but not in the way long known by IT teams, according to a report by Princeton researchers Gunes Acar, Steven Englehardt and Arvind Narayanan.
The old way involved “password exfiltration by malicious scripts through cross-site scripting (XSS) attacks,” they remind us. There has been an advance: Tracking scripts now insert an invisible login form, which is filled in by the browser’s login manager, the researchers write.
The result is that the third-party script “retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
It’s one more headache for security professionals that want to protect their customers and comply with GDPR. And it’s bad news for CEOs who don’t need another privacy issue to defend themselves against. The findings are already spreading around the internet.
This seems like a complicated process, but it may be frightfully easy for malefactors. It starts when a visitor “fills out a login form on the page and asks the browser to save the login,” the authors write. The tracking script is not present.
Typically, the user then visits another page on the site, and this does include the third-party tracking script. That script inserts “an invisible login form, which is automatically filled in by the browser’s login manager.
Thus, evildoers can “extract email addresses for building tracking identifiers,” the researchers continue.
The researchers didn’t find password theft on the 50,000 sites they analyzed. But they did identify the new problem: Third-party scripts can “exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness.”
They believe they are the first to identify this security fissure.
Well, good for them. Wish we didn’t have to tell you this during the holiday week.