Why you should never trust password managers of web browsers !

in #news7 years ago (edited)

To facilitate the constitution of the behavioral profile of Internet users, some marketing companies do not hesitate to extract the identifiers stored in the password manager of browsers.

Password

How it works

To connect to its online accounts (merchant sites, administrations, banks, etc), what is more practical than using the automatic entry that offer password managers built into browsers? Chrome, Firefox or Edge have indeed been able for a long time to save your login and password, and return them automatically when they fall on the authentication form of the site in question.

The problem is that this approach presents the risk of seeing its identifiers sucked by marketing companies specializing in advertising targeting. This is what researchers Gunes Acar, Steven Englehardt and Arvind Narayan from Princeton University have just revealed. They have detected two statistical analysis and marketing scripts, AdThink and OnAudience, which are able to retrieve user login credentials for a given site.

The principle is quite simple: once connected to a site, the user navigates on different pages, one of which contains the famous marketing script. This generates an invisible login form that the browser will automatically fill. The script captures the identifier - which is often an email address - and generates from it a mathematical fingerprint (hash MD5, SHA1, SHA256) that will be sent to the servers of the marketing provider.

Why ?

These scripts will also collect other information about browser configuration and user actions. The advantage of recovering the fingerprint of the identifier is that all this information will be able to be associated with a unique value that is far from being anonymous. "To find out if a user is in the data set, just hash the user's email address and perform a search," say the researchers in a blog note. This collection thus greatly facilitates the behavioral and advertising targeting of Internet users. The fingerprint makes it possible for marketing companies to compare their data sets with each other and to establish a complete profile of the user.

This extraction works if the site editor takes no precaution when it integrates the script of its marketing partner. Logically, the browser should consider this code as coming from a third party and, in accordance with the principle of separation of origins (Same Origin Policy), do not insert the identifiers in the form. "However, if a publisher integrates the third-party script without isolating it in an iframe, it is considered as coming from it," explain the researchers.

The next time that your browser asks you if you want to save your password,think twice !

Picture source : Phonandroid

                                    Thanks for reading
Sort:  

done :) upvote back :)

The @OriginalWorks bot has determined this post by @sofdz to be original material and upvoted it!

ezgif.com-resize.gif

To call @OriginalWorks, simply reply to any post with @originalworks or !originalworks in your message!

Ohh my God I did that always.. Im afraid to lose my secret accounts :( .. By the way thanks for the post

Well try to earse your browser data and avoid saving your passwords again ! you're welcom :)

Where should i erase in what settings please guide me thanks again

Congratulations @sofdz! You received a personal award!

2 Years on Steemit

Click here to view your Board of Honor

Support SteemitBoard's project! Vote for its witness and get one more award!

Congratulations @sofdz! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 3 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!