If you use the password manager feature of your browser you NEED to read this.
Advertisers and data miners use malware-like scripts to exploit a security flaw of the password manager included with your browser to collect your email address, password… and every data/info they can about YOU.
Because this is bad.
They’ve discovered that some:
“third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness.”
These third parties are advertising and/or data collector companies.
This script should be considered a malware.
This script should be considered a malware. Period. These advertisers (and the websites that let this happen if they’re aware of what’s going on) may not be called hackers, but how on earth could this be even remotely legal? Though something tells me we won’t see the FBI on the case. And yet, if it was a person (hacker) or a shadowy organization doing this, what do you think would happen to them? But this is done by companies and advertisers, so it’s ok, right? NO.
FreedomToTinker.com “tested the following browsers: Firefox, Chrome, Internet Explorer, Edge, Safari.” All are vulnerable to this attack. Yes, all Apple products as well. (Btw, they’re no more secure than Android or Windows devices. It’s another Myth I debunk in my books.)
Though Chrome users are a bit less likely to be tracked and their ID/password potentially stolen that way since:
“Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested don’t require user interaction to autofill password fields.”
The researchers also have identified 1100 websites embedding the script. 1100 you may want to avoid for now… At least before you have implemented a solution (not use your browser password manager and thus manually type your ID/password when you wanna log in somewhere or read further down for a simple solution).
The script can include detailed personal, financial, physical traits, as well as intents, interests and demographics
And it gets worse. Because the script created by these companies doesn’t “only” retrieve your ID (email address) and password, No… It’s not enough for them. They need to get EVERYTHING. So the script/malware they use can contain and collect a lot more info… like:
“Birth date, age, gender, nationality, height, weight, BMI (body mass index), hair color, eye color, education, occupation, net income, raw income, relationship states, seek for gender (m, f, transman, transwoman, couple), pets, location, loan (type, amount, duration, over indebted), insurance, credit card risk, has car (make, model, type, registration, model year, fuel type), tobacco, alcohol, travel etc…”
What is that if not a malware?
How to prevent this from happening to us?
The only solution we, as users, have at our disposal to avoid being tracked like this (it’s more than tracking, it’s sniffing any and every info possible about us) is to use an adblocker and even more so a script blocker. They will likely prevent any of that from happening… Like NoScript which is an extension for Firefox that can even protect from most XSS — cross site scripting – attacks and clickjacking attempts.
There’s also a No-Script extension for Chrome but it’s made by a different developer and it’s a lot more basic and would probably be useless against this attack since you can only choose to allow all scripts to run on a (whole) website or not. And as if you want to login, you usually need to do so via a script…
Though there are plenty of script blockers available. So, you will find one that suits you and is effective against this agressive tracking.
But wait… you can opt out… Kind of.
One last thing:
At least one of the two companies using this script to collect all this data on us, gives an opt out choice (IF you know you’re being –aggressively– tracked)… or not?
“Opting out means we won’t collect anymore data from the current Web browser until you opt back in. Implying that for the system to honor your opt out command, it must be able to anonymously identify the browser. For this purpose, we use persistent cookies. If you want to erase them, use the button below.”
Reminder: as a consequence, the system will not be able to remember if you opted out.”
LOL… They use “persistent cookies”. Cookie that we must treat with love and care and NEVER delete… If we wanna stay opt out, that is. They couldn’t use your IP or MAC address, nope… They need a cookie that could very well still serve to track you and collect info on you… SMH.
And if you delete this cookie… Well, you automatically opt back in. 🤪