Welcome to UK420

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more!

This message will be removed once you have signed in.

Sign in to follow this  
Followers 0

Brief explanation of how trackers work with password managers

 I read this and though it gave quite a clear and simple explanation of how trackers exploit your e-mail address and password manager combo behind the scenes.  Might be of interest to members.







Ad targeters secretly tracking people on the internet through invisible login forms

Aatif Sulleyman
3-4 minutes

Web users are having their details secretly collected by ad tracking companies, researchers say.


They’re abusing password managers, which help you sign into websites by remembering your login details for you.  Researchers have found that ad tracking firms have been using invisible login forms to uncover and collect people’s email addresses without their knowledge.   These scripts, which are designed to help companies track users across the web, have been discovered on more than 1,000 top sites.


The researchers, from Princeton’s Center for Information Technology Policy, say the practice can help companies learn more about your online activities. 

A password manager tool is available on all major web browsers, which typically offer to remember your login details when you first sign in to a website.  By accepting the offer, you give the browser permission to autofill the username and password fields with your details whenever you’re required to log in to that site in the future, which can save time.


“First, a user fills out a login form on the page and asks the browser to save the login,” the researchers wrote. “The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script. 


“The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.”  Because the login form inserted by the script is invisible, users don’t realise that their details are being collected.


The researchers found two scripts that use this technique to extract email addresses from password managers, which are present on 1,110 of the top one million Alexa sites.

“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” the researchers added. 

“A user’s email address will almost never change — clearing cookies, using private browsing mode, or switching devices won’t prevent tracking. 

“The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears.”


Fortunately, they didn’t find any incidents of password theft on any of the 50,000 sites they analysed as part of the study. 


They have, however, called on web browser vendors to implement changes that prevent third parties from abusing autofill functionality in this manner. 



Edited by Bird
4 people like this

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0