Serg Nvns - Fotolia

Browser login managers allow tracking scripts to steal credentials

News roundup: Login managers enable the exposure of user credentials in over 1,000 websites. Plus, Mozilla patched a critical vulnerability in Thunderbird, and more.

Privacy researchers warned that third-party tracking scripts are able to secretly steal user identities from browsers' login managers.

Privacy researchers Gunes Acar, Steven Englehardt and Arvind Narayanan from Princeton University's Center for Information Technology Policy found that existing vulnerabilities in built-in login managers are abused by third-party tracking scripts on more than a thousand websites. The vulnerabilities exist in all major web browsers and stem from issues with the autofill credential tool included in them.

"First, a user fills out a login form on the page and asks the browser to save the login," the researchers explained. "The tracking script is not present on the login page. Then, the user visits another page on the same website, which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser's login manager. The third-party script retrieves the user's email address by reading the populated form and sends the email hashes to third-party servers."

The team found two services, Adthink and OnAudience, using these scripts. The researchers identified scripts from these services that gathered login information on 1,110 sites from the Alexa Top 1 Million sites list.

This method for stealing credentials through built-in browser login managers has been known for quite some time, but according to the researchers, it has only previously been used to collect login information during cross-site scripting attacks. In this case, there's no evidence that passwords have been stolen -- just usernames and email addresses.

The kicker with this particular attack method is users don't even have to do anything for their information to be stolen. "Login form autofilling in general doesn't require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form," the researchers wrote. "Chrome doesn't autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested don't require user interaction to autofill password fields."

The Princeton researchers explained that third-party JavaScript can pull saved credentials by creating a similar username and password field, which the login manager autofills. The team tested the password managers in Firefox, Chrome, Internet Explorer, Microsoft Edge and Safari.

"Built-in login managers have a positive effect on web security: they curtail password reuse by making it easy to use complex passwords, and they make phishing attacks are [sic] harder to mount," the Princeton team wrote. "Yet, browser vendors should reconsider allowing stealthy access to autofilled login forms in the light of our findings. More generally, for every browser feature, browser developers and standard bodies should consider how it might be abused by untrustworthy third-party scripts."

In other news:

  • Mozilla patched a critical vulnerability in its open source email client, Thunderbird. The patch was part of the December security advisory that addressed five total bugs. The issue with Thunderbird was the only critical patch. "A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content," the Mozilla advisory said. "This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash." The attack only affected Windows systems running the email client. Thunderbird also works as a news, RSS and chat client. Two of the other issues addressed in the advisory, both labeled as high impact, affected the RSS feature. The first made it possible to "execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website." And the second enabled a local path straight to be leaked from the RSS feed. One "moderate" vulnerability also affected the RSS feature and enabled RSS fields to "inject new lines into the created email structure, modifying the message body." The least-severe vulnerability in the advisory made it possible to spoof "the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string." Updating to the latest version of Thunderbird, 52.5.2, should correct all of the vulnerabilities in the Mozilla advisory.
  • Sound waves can disable hard disk drives and sabotage computers, CCTV systems, medical devices and more, according to a new study. Researchers from Princeton and Purdue University introduced the attack principle in a recent paper. The researchers blasted sound waves at hard drives from different angles to determine what frequency, placement and timing were needed to successfully disrupt the functions of the hard disk drive. They were successful on the four different Western Digital hard drives used in their experiments. When the sound wave hits the hard disk drive, it causes a denial-of-service attack that stops the device from working. The researchers disrupted hard disk drives found in DVRs used in CCTV systems, as well as desktop computers running Windows 10, Ubuntu 16 and Fedora 27 operating systems. In the case of the DVR, the digital recording during the time of the attack was permanently lost. While the attacks require specific circumstances -- such as no human operators around to hear the sound and thus stop the attack -- they could still potentially harm people with medical devices that run on the hard disk drives.
  • has temporarily shut down portions of its community genealogy website RootsWeb after 300,000 user passwords, email addresses and usernames were exposed. Security researcher Troy Hunt alerted the company that he had found a file with the user data exposed on the public-facing internet. "Our Information Security Team reviewed the details of this file, and confirmed that it contains information related to users of Rootsweb's surname list information, a service we retired earlier this year," CISO Tony Blackham wrote in a statement. Blackham said the exposed file contained the data of 300,000 users, and 55,000 of those users used the same information on another Ancestry website, though he didn't explain what led to the file being exposed. "We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify," Blackham said. "We have no reason to believe that any Ancestry systems were compromised. Further, we have not seen any activity indicating the compromise of any individual Ancestry accounts."

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing