Researchers at Princeton University have shown that a vulnerability identified 11 years ago in the password managers built into web browsers can be exploited to allow third parties to track users across more than a thousand websites. The attack depends on the managers' autofill capability, and works by injecting an invisible login form onto non-login pages on sites where users have already stored their credentials. The password manager fills in the user's email address and password, and the script reads them, creates hashes of the email address using the three most commonly used standards (MD5, SHA1, and SHA256), and sends it to the third-party server. The companies that plant the scripts use these hashes to request matching data from data brokers such as Axciom. Because email addresses rarely change, the users can be tracked across the web even if they change browsers, devices, or apps. The vulnerability has persisted because from the point of view of the browser manufacturer everything is working as it should, and because publishers have few better options for managing trusted relationships with legitimate third parties that supply scripts for their sites. The researchers outline steps that publishers, users, and browser vendors can take to protect themselves; none is perfect.


Related learning resources