Remembering different passwords for the wide range of sites we visit daily is a real challenge. How many times did you not have to press the “forgotten password” link to generate a new one? Some services have noticed the aberration of the classic password and offer to authenticate via a code received by SMS or a push notification in a dedicated app. This saves you from constantly having to go back through email. This is the most secure technique, which is also found in the double-authentication process.
But many are the users who fall back on the encoding functionality / automatic filling of passwords offered by browsers. When the sites don’t have more sophisticated authentication mode (sms / notification), it is convenient and it saves you from using the same password all the time which is too easy to crack. But this can be risky, as has been shown by researchers at Princeton University. It is indeed possible for hackers to record your navigation by redirecting the usage of this login tool.
How does it work? In concrete terms, a malicious script displays an invisible login form on a web page that calls the data of your browser’s password manager and saves it, to create a persistent identifier that follows you throughout your journeys on the web, following the principle outlined in this demo. Theoretically, the password is not clearly gotten but the hacker could eventually cross the email with data collected elsewhere, especially if he manages to capture the encoding of the email / password pair from the original site.
The main purpose of the manoeuvre is to fuel the users’ browsing profile based on their email addresses, the most effective persistent identifier available to marketers. The email address retrieved from the invisible forms is transformed into a unique hash sent to a server that compiles all the information. With this you could be tracked even if you clear your cookies.
The team of researchers discovered the presence of such scripts on 1110 sites of the Top 1 million of Alexa! Several fixes are proposed, including the hosting of login forms on dedicated domains, secured against potential intrusions. And on the browser side, disabling the automatic login or at least (but it depends on the developer of the browser) the display of an alert before the filling of a form. If you are looking for a browser that puts security at the top of its priorities, we invite you to discover ours, URbrowser.
Forewarned is forearmed!