27

"Ad targeters are pulling data from your browser’s password manager"

---

Well, fuck.

"It won't be easy to fix, but it's worth doing"

Just check for visibility or like other password managers handle it iirc: assign a unique identifier based on form content and fill that identifier only.

---

"Nearly every web browser now comes with a password manager tool, a lightweight version of the same service offered by plugins like LastPass and 1Password. But according to new research from Princeton's Center for Information Technology Policy, those same managers are being exploited as a way to track users from site to site.

The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising."

Source: https://theverge.com/2017/12/...

Comments
  • 1
    @Floydian whenever people mention movies related to these kind of things, it makes me question if I actually want to fuel paranoia, but could you link the one you mean, now I am just curious.
  • 1
    Well there’s another reason to block ads 😒
  • 6
    Why would anyone trust a password manager? No matter if it's integrated into a browser or stand alone.
    You can not know what it does and if it's really secure (it's not, be sure about that).

    Use passwords you can remember, use some kind of pattern to create your passwords and to generate per-account-passwords, but never ever store them anywhere. Neither in any kind of software, nor on paper or carved in stone. In terms of security trust no one but yourself.

    It's not difficult, anyone can do it. It's as easy as using the first letter of each word in one or more sentences including punctuation marks. Use any sentence you can easily memorize:

    "Where do I use my password? amazon.com!" -> WdIump?a.c!

    Too simple? Extend the sentence:

    "Where do I use my password? amazon.com. amazon.com? Yes it is for amazon.com!" -> WdIump?a.c.a.c?Yiifa.c!

    Need numbers? Try

    "My password for amazon.com has more than 4 character!" -> Mpfa.chmt4c!
  • 0
    @ddephor Good idea
  • 0
    How about detecting the style of the login form maybe lol you can't hide one without css but yeah I'd be hard to distinguish.
  • 1
    @ddephor never store passwords on any password manager, trust only yourself.

    What if i built the password manager?
  • 0
    @ddephor Why not just use the phrases themselves?
  • 1
    @noisyass2 Even if you coded it yourself, you cannot trust the libraries you used, you cannot trust the OS whose system calls you use. Even if you had all the source code for it and built it all by yourself, it's too complex to check it all.

    Today you cannot even trust the hardware your software runs on, because so much hardware is smart and programmable enough to be a security issue.
  • 0
    @Root You can use the whole sentence if you want, but that takes more time to type it.
  • 2
    @ddephor honestly, it's faster. Figuring out the first letters takes me longer than just typing the entire thing.
  • 2
    @ddephor good point there. So i need to build my own hardware.

    Or i wouldn't be able to trust the manufacturers of the parts im gonna be using for the hardware too? 😰😰😰

    All that hassle just to store passwords? Fuck me.
  • 2
    @noisyass2 Security is a tough subject and usually more security means less comfort.

    You can use whatever software you want, but you have to be ok with the consequences. If the password manager is not secure, you can lose all your passwords. And you can never know if that already happened and you just don't know it.

    For me there is no need for such a thing like a password manager, I am my personal, biological password manager.

    And the main rule that applies to all data, but especially to important or confidential data: The fewer places data/information is stored, the less probable it is to get stolen.
  • 1
    One bonus of a password manager is surely that keyloggers are useless against them? Silver lining and all that. Personally use it for convenience. I have a couple of weaker passwords for unimportant sites that have no payment details or personal information then use separate secure ones for everything else that I don't usually store but usually have 2 factor for anyway
  • 1
    Here is also a site provided by them, where you can check your id in their network and "opt out":

    http://static.audienceinsights.net/
Add Comment