Equifax said the breached records did not put British consumers at risk
Equifax said the breached records did not put British consumers at risk

Ad targeters secretly tracking people on the internet through invisible login forms

Scripts, which abuse password managers, have been discovered on more than 1,000 top websites

Aatif Sulleyman
Tuesday 02 January 2018 21:49

Web users are having their details secretly collected by ad tracking companies, researchers say.

They’re abusing password managers, which help you sign into websites by remembering your login details for you.

Researchers have found that ad tracking firms have been using invisible login forms to uncover and collect people’s email addresses without their knowledge.

These scripts, which are designed to help companies track users across the web, have been discovered on more than 1,000 top sites.

The researchers, from Princeton’s Center for Information Technology Policy, say the practice can help companies learn more about your online activities.

A password manager tool is available on all major web browsers, which typically offer to remember your login details when you first sign in to a website.

By accepting the offer, you give the browser permission to autofill the username and password fields with your details whenever you’re required to log in to that site in the future, which can save time.

“First, a user fills out a login form on the page and asks the browser to save the login,” the researchers wrote. “The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script.

“The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.”

Because the login form inserted by the script is invisible, users don’t realise that their details are being collected.

The researchers found two scripts that use this technique to extract email addresses from password managers, which are present on 1,110 of the top one million Alexa sites.

“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” the researchers added.

“A user’s email address will almost never change — clearing cookies, using private browsing mode, or switching devices won’t prevent tracking.

“The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears.”

Fortunately, they didn’t find any incidents of password theft on any of the 50,000 sites they analysed as part of the study.

They have, however, called on web browser vendors to implement changes that prevent third parties from abusing autofill functionality in this manner.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in