The Leak of User IDs through the Browser’s built-in Password Manager
By Prempal Singh
Researchers from Princeton University drew attention about Leak User IDs to the application of some systems of analytics and display of advertising features of field autocomplete by the browser for the hidden definition of the user’s login on the current site.
In particular, on 1110 out of a million of the largest Alexa rated sites, a script was downloaded that retrieved the user’s email data for use as an identifier.
The script uses a flaw in the browser’s built-in password managers, which automatically fill out forms for logging in. On pages where there are no regular login forms, dummy invisible forms of entering a login and password are formed, after which it is checked what data the password manager has put in them. If an email is specified as the login, then a hash is generated on the basis of it and sent to the external server. The method allows you to define the password, but the detected scripts are limited to sending the hash from the email. Since email is unique and usually does not change, the hash from it is an excellent identifier for a specific user, allowing you to keep a binding to the user activity profile regardless of cleaning the cookie, selecting a different browser, and changing the device.
The password managers of all popular browsers are affected, but if Firefox, Internet Explorer, Edge and Safari fill out the login form immediately after the page is loaded, then Chrome only after clicking the user in any part of the page. It is noteworthy that the way to determine information through auto-complete forms has been known for more than 10 years, but was previously used only to intercept data within XSS attacks, and now it has also been used to track users with legitimate services. The analyzed sites identified at least two services for tracking movements (Ad think – audience insights.net and On Audience – behavioral engine.com, using the method discussed.) You can evaluate the work of the method on a specially prepared demo page .
In addition, we can mention the publication by Akamai of a study of the possibility of indirect identification of a user on the network based on an analysis of parameters and fields in the headers of the HTTP / 2 protocol, which differ for different browsers and operating systems.The differences are not sufficient for explicit identification, but it can quite well be used as an additional source of information for classifying users, to determine the VPN and proxy login, to obtain details about the type and version of the browser and the OS definition when specifying dummy User Agent values.