Web users are having their details secretly collected by ad tracking companies, researchers say.
They’re abusing password managers, which help you sign into websites by remembering your login details for you.
Researchers have found that ad tracking firms have been using invisible login forms to uncover and collect people’s email addresses without their knowledge.
These scripts, which are designed to help companies track users across the web, have been discovered on more than 1,000 top sites.
The researchers, from Princeton’s Center for Information Technology Policy, say the practice can help companies learn more about your online activities.
A password manager tool is available on all major web browsers, which typically offer to remember your login details when you first sign in to a website.
By accepting the offer, you give the browser permission to autofill the username and password fields with your details whenever you’re required to log in to that site in the future, which can save time.
“First, a user fills out a login form on the page and asks the browser to save the login,” the researchers wrote. “The tracking script is not present on the login page. Then, the user visits another page on the same website which includes the third-party tracking script.
“The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.”
Because the login form inserted by the script is invisible, users don’t realise that their details are being collected.
The researchers found two scripts that use this technique to extract email addresses from password managers, which are present on 1,110 of the top one million Alexa sites.
“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” the researchers added.
“A user’s email address will almost never change — clearing cookies, using private browsing mode, or switching devices won’t prevent tracking.
“The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears.”
Fortunately, they didn’t find any incidents of password theft on any of the 50,000 sites they analysed as part of the study.
They have, however, called on web browser vendors to implement changes that prevent third parties from abusing autofill functionality in this manner.