The site Freedom to Tinker, which is hosted by Princeton’s Center for Information Technology Policy, has started publishing an ongoing series called “No Boundries” around the topic of how third-party scripts on sites can exploit browsers to collect/extract user data in growing ways.
Their second installment focuses on how the well-known vulnerabilities of browser login managers can provide trackers with user information – not for the purposes of stealing passwords which has been looked at many times, but for the purposes of web tracking which can then be monetized to other companies.
Who is doing this?
Freedom to Tinker lists examples of two scripts that are taking advantage of password managers for tracking purposes: Adthink (audienceinsights.net) and OnAudience (behavioralengine.com). The article also provides this list of sites that have the scripts embedded if you’re interested in taking a look.
How can it be stopped?
After going into a little bit of the history of why the situation even exists (it basically comes down to the normal struggles of trying to get many different players to agree on who has responsibility for protecting against this type of thing), Freedom to Tinker offers steps that Publishers, users, and Browser vendors can all take to help prevent this from happening. Suggestions range from isolating login forms on separate sub-domains, to installing ad-blockers, to requiring user interaction before completing password auto-fills.
It’s an interesting read and food-for-thought in terms of how folks with malicious (or at minimum, ethically questionable) intent will almost always find ways to gather data whenever possible.
See the full article here