Researchers have uncovered a disturbing way of marketing firms can secretly learn your email address. It involves abusing your browser's built-in login manager.
SecurityWatch (19659002) SecurityWatch ” border=”0″ class=”left” src=”https://assets.pcmag.com/media/images/438503-securitywatch.jpg?thumb=y&width=980&height=85″/> But what happens when you get the same feature on your page?
On Wednesday, researchers at Princeton University have caught up with this tactic to lift email addresses from unsuspecting internet users. It's been used over 1,100 sites through embedded tracking scripts.
The tactic works on major internet browsers for any sites. As you navigate through the website, the tracking script can kick in, generating an invisible form to trigger the credential theft. (19659003) Princeton Researcher Autofill ” border=”0″ class=”740″ src=”https://assets.pcmag.com/media/images/568863-princeton-researcher-autofill.png?thumb=y&width=980&height=1236″/>
Tricking a browser's autofill function is not a new flaw; it's a hacking risk. But this appears to be the first time the researchers have spotted the vulnerability of being used for web tracking purposes.
The good news is that the tracking scripts were not lifting password addresses. The two marketing companies that appear to be behind the tactic are Adthink and OnAudience, which are both based in Europe.
It is not clear what the data was. 19659002] “An email address will also contain an email address will also be sent to you.” be tied to a whole trail of digital footprints. (19659002) For instance, snippets of code from the web trackers suggest that the demographic information including their gender, their nationality, whether they owned pets, and the make of their car.
Both Adthink and OnAudience have not been commented on on the research. However, one of the Adthink's websites claims: “We do not collect any personal information.” We do not know who you are. “We do not know your residential address, your email address, your phone number or any other personally identifiable information about you.”
Despite that statement, it's often unclear what the firms are exactly up to, according to Acar.
“This is one of the problems with online tracking: it's an opaque process, especially once the data is collected from the users' computer, “he said. “It's hard to be sure of the exact use of the data without looking into the server side processing and data transfers.”
On the plus side, the 1,100 sites found lifting the email addresses were not major online destinations. Instead, many appear to be lesser-known European websites, and probably partook in the web tracking to earn money without realizing the consequences.
“In my experience, (the website) publishers are by-and-large unaware of the privacy -invasive behavior of the third-party scripts that they add to their sites, “said Arvind Narayanan, a Princeton assistant professor who was involved in the research.
” When the privacy violations are pointed out, publishers third-party scripts in question from their sites, “he said in an email.
According to their report, the” privacy “attempts to exploit their software's autofill function. A simple way to prevent the vulnerability is to disable the autofill function.
“A less crude defense is to require user interaction before autofilling login forms,” the Christians added. However, some solutions might come at the cost of user convenience, they said.
So far, the companies behind the major internet browsers, including Google, Microsoft and Mozilla, are still looking at the findings. In the meantime, the researchers say. Both scripts from Adthink and OnAudience are blocked by the EasyPrivacy filter for Adblock.