Passwords stored on web browsers such as Google Chrome or Safari aren’t as secure as you think, according to new research.
Advertising firms are stealing information from browser password managers without the permission of users, a new study shows.
This security loophole could be used to access people’s passwords, the researchers said, raising concerns that hackers could exploit the fault.
Advertising firms are stealing information from browser password managers without the permission of users, a new study shows (stock image)
Nearly every web browser now comes with a password manager tool, which securely store your usernames and passwords so you don’t have to memorise them.
When you load a website with a saved username and password, your browser will automatically fill the details into the login form.
But new research, from cyber security experts at Princeton University, New Jersey, shows ad firms are able to access the information stored within these managers.
Web trackers create invisible login forms in the background of web pages to trick your password manager into filling in information without your permission.
The details are used to track you from website to website to gather information on your browsing habits, which can then be used to target advertisements.
The researchers say that two popular website tracking software scripts, called AdThink and OnAudience, are designed to exploit password managers to track users.
In the case of AdThink, the information it takes is fed to the large consumer data broker Axciom, which builds files on users to help target advertisements.
While the plugins focus mostly on people’s usernames, the researchers say they contain no technical measures to stop passwords being collected too.
The only secure fix would be to change how password managers work, requiring more explicit approval from plugins before giving out user information.
This security loophole could be used to access people’s passwords, the researchers said, raising concerns that hackers could exploit the fault (stock image)
‘It won’t be easy to fix, but it’s worth doing,’ Professor Arvind Narayanan, a Princeton computer science researcher who worked on the project, said.
But most of the blame should be placed on websites who choose to run plugins like AdThink without realising how invasive they are, the researchers said.
‘We’d like to see publishers exercise better control over third parties on their sites,’ Professor Narayanan said.
‘These problems arise partly because website operators have been lax in allowing third-party scripts on their sites without understanding the implications.’