Article: Web trackers exploiting browser login managers
This article (https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/) was published yesterday highlighting two ad trackers which use JavaScript to inject hidden forms with the hopes of a password manager automatically filling fields with user info. The autofilled information is collected and used to build ad profiles. Is this a risk when using 1Password to fill forms? If so, what mitigations are possible?
1Password Version: 6.8.5
Extension Version: 4.6.12.90
OS Version: macOS 10.13.x
Sync Type: 1Password Family
Comments
-
@mm5030: Aha. That's really interesting, as it made the rounds in other publications almost exactly one year ago:
In fact, this doesn't have any impact on 1Password, and perhaps has less impact on 1Password users than everyone else. Given the opportunity, I will tell anyone quite baldly (pun kind of intended) to "Turn off the built-in password manager in your browser"...but I should really go into more detail since you actually asked. ;)
1Password, by design, takes no action unless you, as the user, tell it to do so. So, unlike browser autofill features, which often squirt saved information into webforms without provocation (okay, the page loaded...), 1Password will only, say, fill a Credit Card item when you explicitly select it to tell it to do so — same with Logins and Identities.
So while it can certainly be convenient for stuff to get filled automatically (and many users ask us to make 1Password do that), we very deliberately have it not do that, and are pretty resistant to changing that behaviour, because we believe strongly that the sensitive information we all put in 1Password should only get out when we let it out. Cheers! :)
0
