These companies can steal passwords from your browser, and you do not even know
The diagram shows the procedure:
- The user fills in the login form and saves the data in the browser. This is not an attack on the Protocol, so it doesn't matter that "browser <-> website" is encrypted (HTTPS) or is not (HTTP).
- The script sends a hash to a company email address gathering such data.
For some people it may be strange that to complete the form is not required interaction with the user. Well, not necessarily – all top browser automatically fill user name (and often the e-mail address) immediately, regardless of whether the form is visible. In the case of Chrome such a form is not populated automatically, you need to click anywhere on the page. Other browsers that have been tested by the authors made the experience (Firefox, Chrome, Internet Explorer, Edge, Safari) do not require user interaction, so the password and login box are automatically populated. Of course, this is also subject to the settings of the same browser and whether or not we agree to remember that were made to the form information.
How it works you can test on this siteby entering any data (preferably not).
Sometimes the image conveys the message than even the most accurate description (see video).
Dangerous in all of this is correlating information: both email addresses and password are unique, and are therefore an ideal identifier to track better than browser cookies. Both password and email address may be used to correlate information from various websites, regardless of whether the page is encrypted or not.
There are also positive aspects of the carried out experience. Despite the fact that the built-in password managers are vulnerable to XSS attacks, out of 50000 analysed pages not found such that eksfiltrują password. In contrast, 1110 found that were included in the statistics of the site Alexa as popular and which email addresses are no longer cackały.
Is and business Poland
Researchers point to the script's OnAudience from behavioralengine.com, which is most often seen on sites with ".com", including information services, online vendors and stores online. 45 out of 63 analysed sites in the domain TLD ".com" contains the tracking script. What's more, the script of this company collects information about installed plug-ins, files in MIME format, screen resolutions, language, time zone, operating system and processor. Then generates the hash information based on the fingerprint browser and sends everything in the indicated place.
Investigators have contacted with the company OnAudience, which claims that only uses anonymous data. That email address is not anonymous, and to find information about a user simply stolen email. Now, find all the information about a particular person associated with that address is just a matter of a few moments.
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.