Ad targeters are exploiting browsers’ built-in login managers to covertly collect hashes of users’ email addresses, to be used to track them across the web.
“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” Princeton University’s Center for Information Technology researchers explain.
“A user’s email address will almost never change — clearing cookies, using private browsing mode, or switching devices won’t prevent tracking. The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears.”
How does the data harvesting happen?
The collection of visitors’ email address happens via scripts provided by digital advertising service companies Adthink and OnAudience and placed by publishers (site owners) directly into their site’s code.
The scripts are not present on the sites’ login page, but on other pages, and the login form they inject into those pages are invisible to the visitors, the researchers found.
“All major browsers have built-in login managers that save and automatically fill in username and password data to make the login experience more seamless. The set of heuristics used to determine which login forms will be autofilled varies by browser, but the basic requirement is that a username and password field be available,” the researchers noted.
“Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form.”
to read the original article: