Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/2/2018
02:00 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Autofill Brings Automatic Vulnerability

A vulnerability in browser-based autofill may mean that your users are spilling the beans on much more than they know.

The economics of the Internet, sadly, have ended up being fairly simple. If you aren't directly paying for a product, then you are the product. And part of being that product -- the information about you that marketers want -- involves tracking where you go on the net.

First there were cookies and other data structures used by marketers to track web browsers. Users eventually gained enough sophistication to eliminate or neutralize each of these mechanisms. Adblockers and privacy code became part of the browser used to immerse one in the web.

But it seems some marketers got a bit clever in order to grab data on users. Researchers at Princeton's Center for Information Technology Policy found evidence of a trick that uses the login manager found in every major browser. It ended up allowing two marketing firms to use scripts that fooled the browser into filling in hidden login forms that they had created. The basic problem with the login managers function had been known for over ten years, but until now had only been used in cross-site scripting attacks.

What the marketers ended up with was a username or email address that was formed into a hash and then correlating that hash to the user's existing advertising profile. The result is more powerful than it seems on first glance.

The researchers outlined succinctly the value of this data by saying on their blog post, "Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user's email address will almost never change -- clearing cookies, using private browsing mode, or switching devices won't prevent tracking. The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps."

So, this is a tracker of real utility to someone who wants personal tracking information. It can't be easily avoided in creation since it is done in secret nor will browser action affect it. But it may lead to fines under the EU's GPDR privacy regulations that go into effect this May, even if the site owner is unaware of its existence.

Protect your website
Solving this behavior would require a change in how the login manager operates. It would have to stop filling in the hidden fields unless users interacted with them. That's a change that has not occurred to date, even though the potential vulnerability has been known.

The researchers do suggest that publishers isolate third-party scripts by putting them in a different subdomain. This would stop autofilling. A separate framework for the scripts might also provide relief.

Protect your users
Individual users might also consider an external password manager that will not fill in hidden fields. The benefits of this kind of manager may be greater than just what shows up in a browser. As an IT or IT security manager, it could be worth looking at default browser behavior and implementing a policy that disables browser-based autofill, replacing the function with a secure password manager insulated from the kind of autofill scripting attack represented in this latest vulnerability.

Login managers are useful in the abstract, but like most things, may trip you up when used practically. Do you know what user information your browsers are giving up? If you can't say "yes" with certainty, it's time to put your browsers under a serious set of data restrictions.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...