Marketing Firms Exploiting Browsers’ Autofill Feature to Steal Email Addresses

Researchers at Princeton have revealed two marketing firms are using the exploit.

You know that handy autofill feature that saves you time when you’re logging in somewhere online? Maybe think twice before using it — at least until the browsers can rectify an exploit that is allowing marketing firms to steal your email address.

The exploit takes advantage of a browser’s built-in login manager. And before you think this doesn’t affect you, all the most popular internet browsers have this feature: Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Edge. They all have a feature that saves your email address and password for sites you regularly log in to.

Unfortunately, this is the internet. And in yet another example of “this is why we can’t have nice things,” a pair of marketing firms have figured out a way to abuse this feature by placing invisible forms that run secretly on over 1,100 websites.

Wait, what?

New Uses for Old Vulnerabilities

The Princeton researchers that published their findings on Wednesday were quick to point out that this isn’t a new vulnerability, rather this is a new way to use that vulnerability.

The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven’t found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers.

Original source: https://www.thesslstore.com/blog/exploiting-browsers-autofill-feature/

What can you do about it?
You can install ad-blockers and the Redmorph browser extension to prevent malicious attacks. Another option is to use a password manager such as 1password or Lastpass.