Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

02:00 PM
Larry Loeb
Larry Loeb
Larry Loeb

Autofill Brings Automatic Vulnerability

A vulnerability in browser-based autofill may mean that your users are spilling the beans on much more than they know.

The economics of the Internet, sadly, have ended up being fairly simple. If you aren't directly paying for a product, then you are the product. And part of being that product -- the information about you that marketers want -- involves tracking where you go on the net.

First there were cookies and other data structures used by marketers to track web browsers. Users eventually gained enough sophistication to eliminate or neutralize each of these mechanisms. Adblockers and privacy code became part of the browser used to immerse one in the web.

But it seems some marketers got a bit clever in order to grab data on users. Researchers at Princeton's Center for Information Technology Policy found evidence of a trick that uses the login manager found in every major browser. It ended up allowing two marketing firms to use scripts that fooled the browser into filling in hidden login forms that they had created. The basic problem with the login managers function had been known for over ten years, but until now had only been used in cross-site scripting attacks.

What the marketers ended up with was a username or email address that was formed into a hash and then correlating that hash to the user's existing advertising profile. The result is more powerful than it seems on first glance.

The researchers outlined succinctly the value of this data by saying on their blog post, "Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user's email address will almost never change -- clearing cookies, using private browsing mode, or switching devices won't prevent tracking. The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps."

So, this is a tracker of real utility to someone who wants personal tracking information. It can't be easily avoided in creation since it is done in secret nor will browser action affect it. But it may lead to fines under the EU's GPDR privacy regulations that go into effect this May, even if the site owner is unaware of its existence.

Protect your website
Solving this behavior would require a change in how the login manager operates. It would have to stop filling in the hidden fields unless users interacted with them. That's a change that has not occurred to date, even though the potential vulnerability has been known.

The researchers do suggest that publishers isolate third-party scripts by putting them in a different subdomain. This would stop autofilling. A separate framework for the scripts might also provide relief.

Protect your users
Individual users might also consider an external password manager that will not fill in hidden fields. The benefits of this kind of manager may be greater than just what shows up in a browser. As an IT or IT security manager, it could be worth looking at default browser behavior and implementing a policy that disables browser-based autofill, replacing the function with a secure password manager insulated from the kind of autofill scripting attack represented in this latest vulnerability.

Login managers are useful in the abstract, but like most things, may trip you up when used practically. Do you know what user information your browsers are giving up? If you can't say "yes" with certainty, it's time to put your browsers under a serious set of data restrictions.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.