Tracking scripts pull data from password managers

According to researchers at Princeton University, the advertising industry’s new tracking method exploits a weak point of the autofill feature. As a result, the intercepted data can be employed to follow users across various websites without using cookies.

Björn GreifEditor

Many Internet users routinely delete cookies, frequently change their IP addresses or even use VPN services to ensure that they can’t be identified or tracked online. However, even these measures don’t necessarily guarantee success. The advertising industry is constantly developing new tracking methods aimed at accessing extremely valuable usage behavior data – and in the process, they intentionally ignore users’ desire to surf the Internet without being observed. This is no surprise: The more the advertising industry knows about computer users, the more it can earn.

Researchers at Princeton University have recently analyzed one of these innovative tracking methods. They found that tracking scripts incorporated into websites exploit a weak point of the autofill feature of password managers in order to track users across various pages. These password managers, which are already integrated into the majority of modern browsers or are available as add-ons, simplify the administration of login data, but can also use previously provided data to automatically fill in fields on websites and save users the work of typing out all their login data.

Nevertheless, it has been clear for some time that there are risks associated with the autofill feature, and the Princeton researchers confirmed this in their study. The new tracking procedure works as follows:

  1. A user visits the login page of a website, enters his or her login data in a form and saves it in the password manager. There are no third-party trackers present on the login page.
  2. The user visits a non-login page on the same website; this time a third-party script is present. The tracking script injects a login form, which the user cannot see.
  3. The password manager automatically fills in the stored data into the invisible login form.
  4. The tracking script reads the data from the form and sends it in a hashed form (i.e. not in plain text) to the server of the tracker operator, which can then track the user using this hash value. From now on, this value explicitly serves as the user ID.
So kommen die Tracking-Skripte über die Autofill-Funktion des Passwortmanagers an die E-Mail-Adresse des Nutzers, deren Hash fortan als eindeutige User ID dient (Bild: Gunes Acar, Steven Englehardt, Arvind Narayanan).

Cross-domain tracking without cookies

The Princeton researchers analyzed two tracking scripts that misuse the autofill feature of password managers this way to read personally identifiable information (PII): AdThink and OnAudience. The hash values they transmit enable the cross-domain tracking of users entirely without the use of cookies.

According to the researchers, both of the above-mentioned scripts focus on the user names’ e-mail addresses, but other scripts could just as easily use the same method to read passwords – though this was not the case on the 50,000 websites analyzed. According to data from Alexa, the scripts AdThink and OnAudience were found on 1,110 pages of the top 1 million sites. OnAudience is ranked 331 in the WhoTracks.me tracking list. The following graphic illustrates that the tracker is active on numerous websites:

Auf diesen deutschen Websites ist OnAudience aktiv (Bild: WhoTracks.me).

AdThink even directly transmits intercepted information to the data broker Axciom, which in turn creates detailed user profiles that are then sold to advertisers. AudienceInsights, the operator of AdThink, does offer an opt-out. However, it is still unclear to what extent the customer’s desire not to participate in data collection is truly respected.

Cliqz ensures you are protected

To make sure you are not susceptible, you are advised to deactivate the autofill feature in your browser or to use an anti-tracking tool such as Ghostery or the Cliqz browser. Our AI-powered anti-tracking reliably prevents the transmission of PII to third-party trackers, including hashes from e-mail addresses or passwords. This protects you against sleuthing scripts.

The Cliqz browser can be downloaded free of charge for Windows and macOS as well as for Android and iOS. Ghostery’s anti-tracking tool is available as free add-on for all standard browsers – including Cliqz.