There are reports that ad targeters are exploiting browser password managers to get data from users. People may browse the web not knowing that information about them are being farmed through the use of these extensions.
Password managers are a convenient and seamless way to browse the internet. This feature is almost present in almost every browser, and they are harmless enough on their own.
However, a study by Princeton University's Center for Information Technology found out that ad targeters are exploiting the autofill feature of the password managers to get data from the users. They can then take these data and add them to their database. Future use may include custom targeted ads for the user.
The study was conducted to detect password theft in most websites. Fortunately, the researchers from Princeton did not find any such case for any of the 50,000 sites they analyzed.
What they uncovered instead are the scripts that make autofill data-farming possible.
According to the study, the exploit works when the browser first autofills the "username/email" and "password" field on a page's login site. It should be noted that there are no tracking scripts present yet on the login page.
The tracking scripts are actually on the subsequent pages on the same domain. The script inserts invisible "username" and "password" forms on the page, without the user knowing. Meanwhile, as the browser does detect these forms, it will then autofill the fields because of the password manager.
The tracking script will then retrieve this data and add it to the database of users who will then be served targeted advertisements in the future.
The researchers studied two password manager tracking scripts — AdThink and OnAudience. They claim that both scripts work in the same way: by baiting the password managers to autofill invisible forms with confidential usernames and passwords.
