Gunes Acar, Steven Englehardt, and Arvind Narayanan:
First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page . Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.
You can test the attack yourself on our live demo page.
Once again I say: the web would be better off if browsers had never added support for scripting. Many of the ads you see on legitimate websites today are effectively malware.
★ Tuesday, 2 January 2018