Ad targeters are pulling data from your browser’s password manager

Nearly every web browser now comes with a password manager tool, a lightweight version of the same service offered by plugins like LastPass and 1Password. But according to new research from Princeton's Center for Information Technology Policy, those same managers are being exploited as a way to track users from site to site.

The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.

The plugins focus largely on the usernames, but according to the researchers, there’s no technical measure to stop scripts from collecting passwords the same way. The only robust fix would be to change how password managers work, requiring more explicit approval before submitting information. “It won't be easy to fix, but it's worth doing,” says Arvind Narayanan, a Princeton computer science professor who worked on the project.

The Princeton research showed that information was also being funneled back to Acxiom, a massive consumer data broker. Contacted by The Verge, AdThink disputed that data was shared specifically with Acxiom, although the company acknowledged that data is routinely shared with third parties.

“The particular piece of code discussed in this study was experimental and is responsible for only a very tiny fraction of the data collected globally,” the company said in a statement. “At the time of writing this statement, this code has already been deleted with absolutely no impact on our advertising business.”

For Narayanan, most of the blame goes to the websites who choose to run scripts like AdThink, often without realizing how invasive they truly are. “We'd like to see publishers exercise better control over third parties on their sites,” Narayanan says. “These problems arise partly because website operators have been lax in allowing third-party scripts on their sites without understanding the implications.”

Update 1/3 9:58AM ET: Updated to include statement from AdThink.


I’m so tired of everyone trying to scam everyone else. It’s getting very old. I just removed all of my passwords from my browser. I hate the internet sometimes.

I don’t think you understood the article.

I actually don’t think you did, but nice try. It said they are stealing usernames from the browsers, and possibly passwords. So I deleted mine.

They don’t steal usernames, the article just needed a clickbaity headline. If you read the source article then you see tjat they actually generate a unique hashvalue from your username, which would be the same on every website where you use the same email or potentially the same password, but they do not save your data as plain text. They can use that to track you when you browse websites where you have a login saved for, without even being logged in. That’s still pretty bad but not as bad as it is made to sound here.

The actual problem is that third-party scripts on a website can get this site’s saved credentials. What they do with it is up to them.

The article describes one way to use the data they steal, but they can do whatever they want with it. I’d hope that the adblock, uBlock Origin, et al would block there third party scripts in the first place.

Did YOU read the article? Yes advertisers do what you described but malicious code could easily grab your username and passwords using the same technique.

You could have just installed NoScript and tracker blockers like Privacy Badger and Blur. The Verge won’t tell you this because they don’t want their ads blocked.

That’s why I just skim articles and jump right to the comments, where the useful info can be found. Thanks.

…your comment will be deleted in 5…4…3…2…

And I don’t want to block them because I like reading articles on the web.

After reading your comment, I did some research and this is the only reliable article I could find to compare browser extensions.

It seems to cross-reference well with what I read on wikipedia about Ghostery (avoid using it).

I am going to give Disconnect a try since it is also available for Opera.

The problem is that this is a bit complex. Even ignoring this, when talking about 3rd party scripts, even without the browser manager thing, they can hijack the logins. They can also hijack your cookies and the like.

A way around that is require that all 3rd party scripts load in iframes but then you lose out on context revenue.

But in the future ads.txt should help alleviate such cases. It’s not a complete fix but it limits which 3rd party ads are allowed to run. And if in the future browsers use that, the probability of this happening would significantly decrease.

They can’t do shit about 1st party cookies though.
Also, cookies should die.

Cookies are used to keep you logged in just an fyi… without them logging into websites becomes a ton more complicated.

1st party cookies sure. But these are basically harmless in this context.

I was referring to your cookies should just die comment.

You can most definitely grab 1st party cookies through script injection.

Really is getting bad. People suck

What I want to know is why these people aren’t in jail? In any other universe, this is called computer hacking and a cyber breach.

Same as for every computer crime : the more you try to punish them, the harder it will get to find them, and they have a huge advantage.

Never trusted any browsers manager and now I have a reason. Been with Lastpass for almost a decade!

Pretty sure Lastpass has been accused of doing something similar and selling the info. Might want to double check and make sure you’ve opted out of all targeted advertising.

Can you link me an article that has them selling info? I don’t see anything in the settings to opt out.

I wouldn’t trust last pass either.

View All Comments
Back to top ↑