These companies can steal passwords from your browser, and you do not even know

The method of theft in browser password and login in one session on the JavaScript described researchers from the portal A typical XSS attack, which in this case is downloading and eksfiltracja data without the user's knowledge are carried out by third parties responsible for developing tracking JavaScript code. All that we know of — the company with the marketing and advertising industry can go to such an extent that user information can break any unwritten rules of safety and common sense. The information presented in the portal reveals that the built-in password managers in Chrome, Firefox, Safari, and Edge are used by spy scripts for tracking/profiling of users.

The diagram shows the procedure:

  • The user fills in the login form and saves the data in the browser. This is not an attack on the Protocol, so it doesn't matter that "browser <-> website" is encrypted (HTTPS) or is not (HTTP).
  • A user visits a page on the same site in the same domain, which is a malicious JavaScript. That script is invisible and transparent login form that is completed by the browser.
  • The script sends a hash to a company email address gathering such data.

For some people it may be strange that to complete the form is not required interaction with the user. Well, not necessarily – all top browser automatically fill user name (and often the e-mail address) immediately, regardless of whether the form is visible. In the case of Chrome such a form is not populated automatically, you need to click anywhere on the page. Other browsers that have been tested by the authors made the experience (Firefox, Chrome, Internet Explorer, Edge, Safari) do not require user interaction, so the password and login box are automatically populated. Of course, this is also subject to the settings of the same browser and whether or not we agree to remember that were made to the form information.

How it works you can test on this siteby entering any data (preferably not).

Sometimes the image conveys the message than even the most accurate description (see video).

In such a way the JavaScript code can retrieve the saved credentials that are then sent to the company living from the sale of profile information about users. In extreme cases, such data may get into the hands of criminals.

Dangerous in all of this is correlating information: both email addresses and password are unique, and are therefore an ideal identifier to track better than browser cookies. Both password and email address may be used to correlate information from various websites, regardless of whether the page is encrypted or not.

There are also positive aspects of the carried out experience. Despite the fact that the built-in password managers are vulnerable to XSS attacks, out of 50000 analysed pages not found such that eksfiltrują password. In contrast, 1110 found that were included in the statistics of the site Alexa as popular and which email addresses are no longer cackały.

Two of the many scripts that produced email addresses stored in your browser.

Is and business Poland

Researchers point to the script's OnAudience from, which is most often seen on sites with ".com", including information services, online vendors and stores online. 45 out of 63 analysed sites in the domain TLD ".com" contains the tracking script. What's more, the script of this company collects information about installed plug-ins, files in MIME format, screen resolutions, language, time zone, operating system and processor. Then generates the hash information based on the fingerprint browser and sends everything in the indicated place.

Investigators have contacted with the company OnAudience, which claims that only uses anonymous data. That email address is not anonymous, and to find information about a user simply stolen email. Now, find all the information about a particular person associated with that address is just a matter of a few moments.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.