Freedom to Tinker recently found that advertising companies are using scripts to retrieve saved credentials in the login manager by creating forms with username and password fields, which will then be autofilled by the browser’s login manager. The email address is “hashed” and sent the company’s server.
A hashed email is a cryptographic function. Hashing is a way of encrypting a piece of data, like an email address, into a hexadecimal string. Each email has its own unique hexadecimal string that remains consistent no matter where the email is used to log in on the web.
The scripts do not copy the password but email addresses are unique and persistent, and make an excellent tracking identifier. It can be used to collect pieces of online profile scattered across different browsers devices and mobile apps.
The Scripts and who owns them
Adthink (audienceinsights.net) The Adthink script contains very detailed categories for personal, financial, physical traits, as well as intents, interests and demographics. What the exact use of these categories are used for I do not know but it gives a glimpse of what our online profiles are made up of:
Birth date, age, gender, nationality, height, weight, BMI (body mass index), hair colour, eye colour (amber, blue, brown, grey, green), education, occupation, income, relationship state, seek for gender (m, f, transman, transwoman, couple), pets, location (postcode, town, country), loan (type, amount, duration), insurance (car, motorbike, home, pet, health, life), card risk (chargeback, fraud attempt), car(make, model, type, registration, model year, fuel type), tobacco, alcohol, travel (from, to, departure, return), hotel_stars.
OnAudience (behavioralengine.com) Most commonly present on Polish websites also collects browser features including plugins, MIME types, screen dimensions, language, timezone information, OS and CPU information. It also claims to use anonymous data only (how can it when it collects your email address as well?)
No wonder these companies use the taglines “Smart Advertising Performance” and “Big Data Marketing”.
Risk.
Email is an unique identifier means that you can be tracked throughout the internet – clearing cookies and browser history, and using incognito settings will not help hide your activity. So if someone discovers a password for one site I hope you is a unique password for that one site so they can only get access to that site, but if it a commonly used password that you use for email then they can log into your email and reset all the websites that you use which is the worst thing that could happen.
What to do.
Use unique passwords for each web service you use and do not save them when the browser asks.
The login manager is truly a convenient thing and makes logging into a site seamless. They auto update form info when changed. Unfortunately, most browser password managers don’t allow you to disable autofill. There’s no way to disable the autofill feature if you’re using the integrated password manager in Google Chrome or Microsoft Edge, for example. Chrome does have an option to disable autofill, but it only disables autofill of data like addresses and phone numbers, not passwords. There is an option to disable autofill of passwords in Mozilla Firefox’s password manager, but it’s hidden in about:config.
Use a 3rd party password manager to store your passwords like LastPass (disable autofill by clicking the LastPass extension button on your browser toolbar and clicking “Preferences”. Uncheck the “Automatically Fill Login Information” option under General and then click “Save” to save your changes.) or 1Password which does not use a automatic autofill feature.
If you can do this use Quad 9 (9.9.9.9) as a DNS server (I will write about this in more details at a later date). I am not sure yet but they have an comperhensive database that filters out “problematic” websites.
With security it is always a balance between convenience and keeping your data safe, you need to work out what is best, I am going to cut down on the convenience and up my security.
If you want more advice on what to do there is a useful blog on howtogeek.com.
Sorry, the comment form is closed at this time.