Ad targeters exploit browsers’ password managers to track users online

Ad targeters are exploiting browsers’ built-in login managers to covertly collect hashes of users’ email addresses, to be used to track them across the web.

“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” Princeton University’s Center for Information Technology researchers explain.

“A user’s email address will almost never change — clearing cookies, using private browsing mode, or switching devices won’t prevent tracking. The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears.”

How does the data harvesting happen?

The collection of visitors’ email address happens via scripts provided by digital advertising service companies Adthink and OnAudience and placed by publishers (site owners) directly into their site’s code.

The scripts are not present on the sites’ login page, but on other pages, and the login form they inject into those pages are invisible to the visitors, the researchers found.

exploit browsers password managers track users online

“All major browsers have built-in login managers that save and automatically fill in username and password data to make the login experience more seamless. The set of heuristics used to determine which login forms will be autofilled varies by browser, but the basic requirement is that a username and password field be available,” the researchers noted.

“Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form.”

Once the secret form is populated with the visitor’s address, the scripts create hashes of it to a server they control. Adthink’s script also sends one to data broker Acxiom, and the OnAudience script also collects information on various browser features, and generates a hash based on this browser fingerprint.

The researchers found these tracking scripts on 1110 of a total of 50,000 websites present on Alexa’s list of top 1 million sites.

How can users prevent this type of tracking?

The researchers listed several things publishers and browser vendors could do to prevent this type of tracking, but all solutions come with overhead that they might be reluctant to incur (e.g. increased engineering complexity or additional work by users).

Until they come up with a solution they can live with, users can use ad blockers or tracking protection extensions to prevent tracking by invasive third-party scripts.

“The domains used to serve the two scripts (behavioralengine.com and audienceinsights.net) are blocked by the EasyPrivacy blocklist,” the researchers noted.

Alternatively, they can stop using login managers built into browsers. Standalone password managers like AgileBits’ 1Password and Keeper Security’s Keeper do not automatically fill in web forms when users navigate to websites.