theverge | Nearly every web browser now comes with a password
manager tool, a lightweight version of the same service offered by
plugins like LastPass and 1Password. But according to new research from Princeton's Center for Information Technology Policy, those same managers are being exploited as a way to track users from site to site.
The researchers examined two different scripts — AdThink
and OnAudience — both of are designed to get identifiable information
out of browser-based password managers. The scripts work by injecting
invisible login forms in the background of the webpage and scooping up
whatever the browsers autofill into the available slots. That
information can then be used as a persistent ID to track users from page
to page, a potentially valuable tool in targeting advertising.
The plugins focus largely on the usernames, but according
to the researchers, there’s no technical measure to stop scripts from
collecting passwords the same way. The only robust fix would be to
change how password managers work, requiring more explicit approval
before submitting information. “It won't be easy to fix, but it's worth
doing,” says Arvind Narayanan, a Princeton computer science professor
who worked on the project.
