It’s not just a theoretical attack-it’s actually being used by advertisers on 1110 of the top one million websites today, according to Freedom to Tinker. This problem demonstrates the importance of using unique passwords on every website.
LASTPASS FIREFOX ANDROID AUTOFILL CHROME PASSWORD
You Need Unique Passwords Everywhere, So Password Managers Are Still Essential This demonstration site doesn’t currently show any problem if you use LastPass, but anything that automatically fills usernames and passwords with no user intervention-LastPass included-is theoretically vulnerable. Continue, and it will be autofilled in the background, with the script capturing the email address and password. Fill in a fake email address and password, and you’ll be prompted to save it in your browser’s password manager. You can see this problem for yourself by visiting this demonstration page. They run in the background, create fake login and password boxes you can’t even see, and captures the credentials your password manager fills into them. This makes signing in faster, as you just have to click “Login”.īut some third-party advertising scripts-the ones that nearly every website out there uses-are starting to use these to track you. From that point forward, it will attempt to automatically fill them into username and password boxes it sees on that website. When you save your username and password on a website, your password manager remembers them. As a result, you should probably disable the autofill feature to prevent this from happening. This affects everyone using a password manager, whether it’s a built-in password manager like the one in Chrome, Firefox, or Edge, or a browser extension like LastPass. According to Freedom to Tinker, a few ad networks are now abusing tracking scripts to capture the email addresses that your password manager auto-fills on websites.īut it gets worse: they could use that tech to capture your passwords too, if they wanted. Advertisers have found a new way to track you.