Advertisement

Password manager autofill may be leaking username and password

Ad scripts are working against autofill to collect your private data

Stock-Cybersecurity-3


By Heather Hamilton, contributing writer

While autofill options in your browser seem like a convenient way to save time, recent reports indicate that ad networks are misusing your autofilled information. By using tracking scripts to capture the email address that your password manager automatically enters and even capture your password, ad networks are storing your personal data. Freedom to Tinker reports that this applies to both built-in browser password managers and browser extensions.

Third-party ad scripts record your information by running in the background of sites that you visit and creating fake login and password fields that aren’t visible, then capturing the usernames and passwords entered by your password manager — you can test it for yourself here — through a demo page designed by Freedom to Tinker .

The site also explains the reason for ad sites to collect user email addresses. Essentially, they are unchanging, even as users clear cookies, use private browsing, and switch devices. This allows sites to track users and “connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookies clear,” they write.

Freedom to Tinker says that the problem impacts 1,110 of the top 1 million sites, and, while they are currently only capturing usernames and emails, there is absolutely nothing to prevent the additional theft of passwords. How-to Geek points out that this would only allow an advertiser to log into that particular website — unless you’re using the same password for a number of sites. Because of this, they encourage users to use a password manager to keep track of unique passwords, though they also recommend disabling autofill.

How to use autofill
It is undoubtedly convenient to use autofill, and you probably don’t have to stop entirely if you’re using a browser extension like LastPass. Yes, it would be safest to simply cut and paste usernames and passwords from your password manager — but it is almost as safe to enable manually initiated autofill, allowing you to choose when your password manager fills things in.

The majority of browser password managers (including Chrome’s) will not allow you to disable the autofill function for passwords, though you can do it for address, email, etc. If these are your password managers of choice, you may consider switching to a third-party, many of which make it easy to change your settings by visiting the “Preferences” tab and saving changes.

If you’re using Mozilla Firefox, you can actually make changes to autofill, though it is a little bit hidden. Type “about:config” into the address bar and hit Enter. You’ll get a screen warning about changing settings, but if you stick to this one, you’ll be fine. Acknowledge that you accept the risk and then type “autofillForms” in the search box. Double-click the “signon.autofillForms” preference and then “false,” which will prevent the password manager from autofilling without your permission.

Sources:  Freedom to Tinker How-to Geek
Image Source: 
Pixabay

Advertisement

Leave a Reply