Advertisers borrow malware tricks to steal emails, usernames

Researchers at the Princeton Centre for Information Technology Policy (CITP) have warned of a new and disturbing trend in user-monitoring web trackers: the secret capture of personal information from a browser or standalone password manager.

Published as part of the CITP No Boundaries series, a report from Gunes Acar, Steven Englehardt, and Arvind Narayanan warns that advertising companies eager to track users around the web have begun capturing seemingly-secure personal information - even from third-party sites.

The attack works by injecting a hidden login form on a first- or third-party page which contains what to the browser appear to be valid username, email address, and password fields. If the user has a matching account in their browser's built-in password manager, the browser will 'helpfully' fill in the blanks - allowing the advertiser to snag a copy of the user's personal detail.

Already exploited for password theft by malicious scripts, the group claims the technique is now being used by advertising companies as a means of capturing valid email addresses - used by many sites in place of a username. 'We found two scripts using this technique to extract email addresses from login managers on the websites which embed them,' the researchers report. 'These addresses are then hashed and sent to one or more third-party servers. These scripts were present on 1110 of the Alexa top one million sites.'

The attack works best with a browser's in-built password management system, which is typically configured to invisibly auto-fill recognised form fields. It is also able to exploit third-party password managers which fill form fields without direct user interaction, though any which rely upon the user interacting with the fields directly are not vulnerable.

The team has published a demonstration of the attack against which users can test their own password managers.