Security Flaw in Browser Password Managers Puts User Data at Risk

Google+ Pinterest LinkedIn Tumblr

Many internet users allow their browser to store their usernames and passwords as a matter of convenience, as the autofill tool eliminates the need to enter their details manually and alleviates concerns about forgetting complex passwords. But a major security flaw could give hackers a method for accessing that data, compromising the security of any associated accounts.

New research suggests that passwords stored in browsers, like Google Chrome or Safari, aren’t as secure as many believe. A study revealed that advertising firms are accessing some of the data, without consent from users, to help them target ads, raising concerns that the same approach could be used by hackers.

Most major browsers come with a built-in password management tool, allowing details like usernames and passwords to be stored, so users don’t have to memorize the information.

When a person visits a site after initially saving the login data, the browser automatically fills in these details through the autofill feature, ensuring users don’t have to memorize their logins and speeding up the process.

Researchers at Princeton University, comprising of a team of cybersecurity experts, discovered that advertising firms were capable of accessing password manager data through the use of invisible login forms that appear in the background of the page.

These invisible forms, used as part of larger web-tracking systems, trick the browser into loading the information without your consent.

Details gathered from the invisible login forms, such as those used by the AdThink and OnAudience website tracking software scripts, allow the advertising firm to better track your online activities and browsing habits. They use the information to display targeted ads.

While the primary goal of most firms is to capture username data, the approach doesn’t prevent passwords for also being collected.

According to a report by the Daily Mail, the only way to prevent the data from being collected would require a fundamental shift in how password managers operate, creating a mechanism where explicit user approval would be needed before the data would be provided to a browser plugin, such as the scripts used by AdThink and OnAudience.

“It won’t be easy to fix,” said Princeton computer science researcher, Professor Arvind Narayanan, “But it’s worth doing.”

Additionally, websites need to be more aware of how invasive some plugins can be, said the research team.

“We’d like to see publishers exercise better control over third parties on their sites,” said Narayanan. “These problems arise partly because website operators have been lax in allowing third-party scripts on their sites without understanding the implications.”