How web trackers exploit password managers

Discussion in '0-day Release' started by RGiskardR, Jan 2, 2018.

  1. RGiskardR

    RGiskardR Malware Tester Silver Member

    Most web browsers come with a built-in password manager, a basic tool to save login data to a database and fill out forms and/or sign in to sites automatically using the information that is in the database.

    Users who want more functionality rely on third-party password managers like LastPass, KeePass or Dashlane. These password managers add functionality, and may install as browser extensions or desktop programs.

    Research from Princeton's Center for Information Technology Policy suggest that newly discovered web trackers exploit password managers to track users.

    The tracking scripts exploit a weakness in password managers. What happens is the following according to the researchers:

    1. A user visits a website, registers an account, and saves the data in the password manager.
    2. The tracking script runs on third-party sites. When a user visits the site, login forms are injected in the site invisibly.
    3. The browser's password manager will fill out the data if a matching site is found in the password manager.
    4. The script detects the username, hashes it, and sends it to third-party servers to track the user.
    The following graphic representation visualizes the workflow.

    Full source:
    Trim, silversurfer and daljeet like this.
  2. Google Adsense

Share This Page