Password exploits leave consumers exposed to online ads
17 January 2018 - 10:54 by Mike Price
Hundreds of the world’s most popular websites have been found to contain scripts designed to nab account info from visitors and use it to tailor advertising, according to researchers from Princeton University.
The Independent reports that the sneaky code takes advantage of the fact that millions of people rely on browser-based password management solutions to keep track of the usernames and passwords they require to log into a whole range of sites, from social media to safe shopping online.
This all comes down to tricking browsers into entering username and password info outside of pages specifically designed for logging in. The ‘invisible’ login fields are set up on subsequent pages and the private data can be snatched, meaning that email addresses end up in the hands of third parties.
An individual’s email address is seen as especially valuable as unlike other identifying factors related to a person, it is not guaranteed to change over time. This means that web users can be tracked across multiple sites and advertisers can build up a picture of their habits, even if they clear the cookies from their browser or use an entirely different computer to access the internet.
The good news is that although this practice might be seen as unethical and problematic for a variety of reasons, the sites participating in it have not been shown to have stolen passwords. This may be a way of skirting along the edge of illegality without actually crossing it and drawing serious regulatory attention.
The exploitation of auto-complete features found in every major browser is clearly not acceptable and researchers are calling on developers to implement updates which will address this. In the meantime, carrying out safe shopping online only with reputable sites is the best way to steer clear of complications.