Your IT Consultant

Beware if You Use a Browser-Based Password Manager

January 3, 2018

Another reason NOT to use the built-in password manager feature of your browser. Security researchers from Princeton's Center for Information Technology Policy have revealed that marketing companies have started exploiting an 11-year-old bug that allows them to steal your e-mail address for targeted advertising across multiple devices. The concern is that the same method could be used to also steal your saved user names and passwords without your permission. Third party tracking scripts were found on websites that inject invisible login forms in the background that tricks the browser password managers to auto-fill the form with saved information.

You can test your own browser by going to the demo autofill abuse page. Most of the third-party password managers such as LastPass and 1Password aren't impacted since they avoid auto-filling invisible forms and also require user interaction. The best practice is to disable the autofill function or better yet, don't save any authentication credentials to the browser. In other words, answer NO when prompted to save login information.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com