Password Managers have been around for quite some time, and most of us rely on them for managing our passwords across several websites. Services like LastPass, 1Pass, and KeePass have been pretty popular with the users. Apart from saving your credentials, the Password managers also help users by generating strong passwords. The Password managers have been vulnerable to attacks nevertheless.
Research from Princeton’s Center for Information Technology Policy has discovered that the web trackers can be used to exploit password managers and track the users. We have already seen how attackers use the in-browser extensions to track users behavior. Well, now it seems like the hackers have found a way to track the user’s behavior by exploiting a loophole in Password Managers.
This is how the tracking script works when a user visits a website the credentials are generally stored in the password manager. The tracking script is made to run on third-party sites and when the user fills in the login forms invisibly. Password Managers fill out the data once they detect a site that matches their database. Now the script detects the username and sends it to third-party servers after hashing the same.
The researchers have analyzed two different scripts that are used to get identifying information about the users. One called AdThink and the other OnAudience both of which work by injecting invisible login forms across web pages. The hashed username can be used across sites without enabling cookies or any other type of user tracking.
User Tracking is often the cornerstone of advertising, and while there is a legit way to track users behavior, others usually fall in the grey area. Scripts like this can gather a frightening amount of data including user interests, financial services used and other vitals that can help advertising services to profile the users.
The Adthink script contains very detailed categories for personal, financial, physical traits, as well as intents, interests and demographics.
That being said, the users can check the status of tracking and out of the same by clicking here. One can also add the URLs to the blacklist manually or use EasyPrivacy to do the same. On a closing note, the advertising industry has often been accused of trying to track users without consent. On the contrary, most of the sites do rely on the third party adverts in order to fuel their operations. I hope that the advertisement industry evolves beyond the non-legit ways and abide by a functional framework instead.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.