Every modern browser like Google Chrome, Mozilla Firefox, Apple Opera, and Microsoft Edge comes with a built-in password manager tool that allows the user to save their login information for automatic form filling. These browser-based password managers are designed to automatically detect login forms for the user on a webpage and automatically fill-in the saved credentials accordingly.
A team of researchers from Princeton’s Center for Information Technology Policy have found that the existing vulnerabilities in built-in password managers are actively exploited by third-party tracking scripts on more than a thousand websites.
When a user pulls up a login form on the web page and asks the browser to save the login credentials, the tracking script is not present on the login page. However, when the user visits another page on the same website, which includes the third-party tracking script, inserts an invisible login form, which is automatically filled in by the browser’s password manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to the third-party servers.
There have been discussions about these attacks for over 11 years. Much of the previous discussion focused on the security implications of the current functionality and on the security-usability tradeoff of the auto-fill functionality. So, you may be wondering how this security vulnerability could continue for over 11 years. That’s because, unfortunately, browser password managers have not evolved much and storing passwords within the browser is a bad idea.
The simplest way to prevent such attacks is to disable the auto-fill function on your browser.