A team of cybersecurity researchers from Princeton University have warned that web tracking firms could be in a position to abuse password mechanisms to compromise individuals’ usernames and email addresses, heightening the risk of cybersecurity breaches. Many popular browsers, including Firefox, Chrome and Safari, feature login managers which individuals can use to save and autofill usernames and passwords on websites. The team at Princeton found that web trackers can exploit this autofill function and collect sensitive login details.
The cybersecurity team from Princeton’s Center for Information Technology Policy uncovered evidence that at least two web tracking firms covertly install hidden login fields on websites, resulting in browsers’ autofill functions inadvertently completing the form with the individual’s saved login information, completely without the user’s knowledge. While experts in cybersecurity threat analysis have always warned about the potential risks in browser autofill features, this is the first time researchers have uncovered concrete evidence of this technique being used to track individuals online.
The researchers at Princeton said that they found two web tracking services – Adthink and OnAudience – which use hidden login forms to gather what should be confidential user login details. Between the two services, they have collected information through embedded tracking scripts on over a thousand websites. While there is no evidence that password information has been compromised, the collection of hashed email addresses alone potentially allows the firms to track individual users even if they are careful to clear cookies or have switched to a different device.
The cybersecurity threat to user privacy will raise concerns for both individuals and company IT managers who have a responsibility to protect sensitive customer data. Of particular concern is the fact that website owners may in many cases be entirely unaware that web tracking firms are extracting user login information, and that this could potentially be in violation of data privacy legislation, such as the forthcoming General Data Protection Regulation (GDPR) In Europe.
Publishers and IT managers alike need to be awake to the cybersecurity threat this practice represents, and may need to take action to avoid complicity in unauthorized use of sensitive user data. Measures such as placing site login forms on a subdomain rather than on the site’s homepage can help, while users should also consider installing ad-blocking plugins, or making use of the cybersecurity protection browser extensions provided by many antivirus and anti-malware providers, to prevent third-party tracking.