DooKey
[H]F Junkie
- Joined
- Apr 25, 2001
- Messages
- 13,552
Everyone knows that the built-in login managers that some people use to speed up login on oft-visited sites is vulnerable to cross-site scripting attacks that can result in username and password being stolen. Now there's a new exploit that's going around and web trackers are using it to track your movements around the web. Some webpages are using third-party scripts to gather the email address from the auto-login and use it for tracking. The folks at Freedom-to-Tinker have discovered this on approximately 1,000 of 50,000 sites they analyzed and while this isn't a huge number it gives the savvy web browser one more reason not to use auto-login. Practice safe browsing habits [H].
The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.
The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.