Home Technology Web crawlers take advantage of login administrators to steal user names

Web crawlers take advantage of login administrators to steal user names

14
1
SHARE
Web crawlers take advantage of login administrators to steal user names
Web crawlers take advantage of login administrators to steal user names

Princeton privacy experts warn that advertising and analytics firms can secretly extract user names from browsers using hidden logon fields and relate unauthenticated users who visit a site with their profiles or emails electronic in that domain. This is something that many users who want to maintain their privacy, will see as negative.

Crawlers who steal user names

This type of abusive behavior is possible due to a design error in the login managers included in all browsers. The login administrators allow browsers to remember the username and password of specific sites and automatically insert it into the login fields when the user visits that site again.

Experts say web crawlers can embed hidden login forms on sites where tracking scripts are loaded. Due to the way login administrators work, the browser will complete these fields with the user’s login information, such as user name and passwords.

This “trick” is old. It has been known for more than a decade, but until now it has only been used by hackers trying to gather login information during XSS attacks. This type of attack allows a third person to inject JavaScript code, for example, into visited pages.

The Princeton researchers add that they recently found two web tracking services that use hidden login forms to collect login information.

Fortunately, neither of the two services compiled password information , only the user name or email address, according to what each domain uses for the login process.

Servers

The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.Com), and Princeton researchers said they identified these two scripts that collected information logon to 1,110 sites.

In this particular case, the two companies were extracting the username / email from the login field. They created a hash and linked that hash with the existing advertising profile of the site visitor.

Demonstration page

Researchers at the Princeton Center for Information Technology Policies also created a demo page that users can try (using fake credentials) and see if their browser’s login administrator fills in the hidden field.

You can see that the vast majority of browsers are vulnerable to this. Crawlers can steal user names.

The security and privacy is very important to users. As we always say, you have to have security tools and programs. In addition, the ideal is that they are updated to the latest version. Only in this way will we be able to face possible threats that jeopardize the proper functioning of our equipment. Many types of malware require user interaction. That’s why common sense can be our best weapon. You always have to be alert.

1 COMMENT

  1. I just want to tell you that I’m very new to blogs and absolutely enjoyed you’re web-site. Likely I’m want to bookmark your blog . You amazingly come with fabulous well written articles. Thanks for revealing your website.

LEAVE A REPLY

Please enter your comment!
Please enter your name here