News: Ad targeters are pulling data from your browser’s password manager
The Verge: Ad targeters are pulling data from your browser’s password manager
How can we protect our data against these scripts?
Comments
-
Depending whether you are using Chrome or Firefox, Chrome has uMatrix to block scripts while Firefox has uMatrix and NoScript. It's tricky to learn uMatrix and I am still at Firefox 52 ESR and haven't moved on to Firefox 57. There is NoScript v5.1 for ESR and NoScript 10 for Firefox Quantum.
I am in Chrome, mostly.
With regard to mobile, there are little such extensions in iOS/Android so uMatrix won't help there.
0 -
@wkleem: Those are great tools, but sadly most users will not have them installed, even if they know of them. iOS has some good content blockers, but I suspect most users have Safari's autofill enabled.
All of this reminds me of something I found shopping recently:
I was surprised to see this coming up again after almost exactly a year!
@XIII: It's a little bit of a different spin this time, but this still doesn't have any impact on 1Password— perhaps less impact on 1Password users — since we not only tell customers to "Turn off the built-in password manager in your browser", but 1Password, by design, takes no action unless you, as the user, tell it to do so. So, unlike browser autofill features, which tend to squirt saved information into webforms without any interaction, 1Password will only save or fill information when you explicitly tell it to do so.
So while it can certainly be convenient for stuff to get filled automatically (and many users ask us to make 1Password do that), we very deliberately have it not do that, and are pretty resistant to changing that behaviour, because we believe strongly that the sensitive information we all put in 1Password should only get out when we let it out. We have some additional information regarding this particular research as well in our knowledgebase:
Princeton’s CITP Research
I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Yes, this helps. Thanks!
0 -
There had been a conflict previously reported between 1Password, Duo and NoScript in Firefox.
I have not attempted to verify if the issue has been solved but it is something to be aware of. With regards to allowing scripts to run (or block them).
0 -
Thanks for the info. I’ll look at these add-ons
0 -
Brenty,
Although it is probably outside the scope of the researchers, the browser Brave has 1Password as its default password manager. How will the findings affect Brave and 1Password?
0 -
Stumbled upon a post for the second time last week.
Like to share it here because this is exactly what we should avoid :-)Just to create some awareness and maybe start a good discussion on this.
TLDR; 3rd party scripts use forms which are auto filled by browsers/plugins and use this information to profile/track users or steal their information.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
@wkleem: I don't believe 1Password is the default there, but they've built in our extension since they do not allow the user to install extensions. So everything I said above applies there too. 1Password is the same and so is the extension, only it is built into the browser rather than being something the users add themselves. Cheers! :)
0 -
@srcoder: I hope you don't mind, but I've merged your post with an existing discussion on this. There's some more info above, but the short version is that since 1Password only fills when and where you tell it to, it isn't affected. Definitely something to be aware of though if you're still using browser autofill. Cheers! :)
0 -
Since 1Password is mentioned in this recent article at BGR, thought I'd forward the URL in case you haven't seen it yet.
http://bgr.com/2018/01/01/password-manager-security-issue-ad-trackers/
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided0 -
@LarryMcJ: I hope you don't mind, but I've merged you with an existing discussion on this topic. Please see above for more details. :)
0 -
Don't mind at all. In fact, I should have searched the forum before posting if this issue was already being discussed.
0 -
I often read some interesting things at BGR, but they do occasionally post things a bit out of context. Or in this case, they failed to understand how 1Password works in this regard.
0 -
:chuffed: :+1:
0 -
@LarryMcJ: I think the problem is that the phrase "browser-based password managers" is easily misconstrued. By "browser-based" it means literally the "password manager" which is built into the web browser, as opposed to those which are user-installed extensions. I supposed there may be some of those out there too which "autofill" when you load webpages, but 1Password doesn't do that by design.
0 -
I think you've hit the nail on the head. Too bad that some readers of the article will jump to the conclusion that 1Password autofills upon loading a webpage. Happy New Year!
0 -
Best we can do is help where we can. Happy new year! :)
0 -
Take a look at our latest blog post about this: 1Password keeps you safe by keeping you in the loop
In short, the attack described relies on some password managers (not 1Password) automatically and silently filling web forms. 1Password is designed not to do that. Silently giving away your secrets is just not a good security design.
0 -
Isn't the above article similar to this https://www.howtogeek.com/338209/you-should-turn-off-autofill-in-your-password-manager/ ? It warns people to disable the autofill option. Good thing that 1Password uses fill on request, meaning I choose when and what 1Password fills for me after I click on the website inside my vault. Thank you guys for being one step ahead of the bad guys, I feel my vault is safe with you.
0 -
Thanks @Catalin1P. I hadn't seen that. (For what it's worth, most of the text of our blog post was composed over the weekend. And actually, I cribbed much of that from a forum comment I wrote in 2014.) The evils of automatic autofill have been known for a long while, and so the recommendation to disable it if you are using a password manager that offers it is going to be common advice.
Thank you guys for being one step ahead of the bad guys, I feel my vault is safe with you.
You are very welcome.
0 -
Worth linking again I think since I kind of buried it in my more verbose comments earlier:
Turn off the built-in password manager in your browser
That not only gives you more control over the security of your data by keeping it locked down in 1Password until you want to use it, but it also eliminates a lot of confusion ("Did I save that in the browser, or in 1Password?") as well as making it easier to access across multiple platforms by syncing. Cheers! :)
0