Advertisers can use your browser’s password manager to steal your data

News
By Cat Ellis
last updated

What price convenience?

PC security image

Your browser’s built-in password manager could be exploited to share your email address with advertisers without your permission.

All the major browsers include a free password manager that stores login data for future use. According to researchers from Princeton University, the trouble begins when you entered an email address in an online form and ask the browser to save it for future use, then visit another page containing a third-party tracking script. The script loads an invisible login form that your browser fills in automatically, then reads this data and sends it to the tracking company.

This time, it's personal

The email address itself isn’t necessarily what advertisers want – it’s the extra information connected to it. You use the same email address on multiple websites and devices, which means ad trackers can use it to join up pieces of information from across all your devices. This can build an alarmingly detailed profile including not only details like your location and birth date, but also sensitive information like your height, weight, health conditions and income.

Some companies don’t treat email addresses as personally identifying data if they’re hashed (turned into a random-looking series of numbers using a mathematical function) before being transmitted, but the Princeton researchers say that isn’t enough. The domain is often left unhashed, and the hash for the rest of the address can be broken in seconds using a multi-core virtual machine that can be rented for pennies.

Disable your browser's password manager

The researchers have called on Microsoft, Google and Mozilla to implement a solution quickly, but if you're worried, you can switch off your browser's password manager in the meantime.

Password manager in Google Chrome

Deactivating the password manager is straightforward in most browsers

To disable the password manager in Chrome, go to chrome://settings, scroll down the page and click Advanced. Scroll down to 'Passwords and forms', 'Autofill settings' and toggle the top switch to 'Off'.

In Firefox, enter about:preferences in the address bar, click 'Privacy & security' and uncheck 'Remember logins and passwords for websites'. You can also clear any saved form data here.

If you're using Microsoft Edge, click the menu button at the top right, select 'Settings' and scroll down to 'View advanced settings'. Toggle the 'Offer to save passwords' switch to 'Off' and click 'Manage my saved passwords' to remove any that are already stored.

Via the Independent

Cat Ellis
Cat Ellis

Cat is the editor of TechRadar's sister site Advnture. She’s a UK Athletics qualified run leader, and in her spare time enjoys nothing more than lacing up her shoes and hitting the roads and trails (the muddier, the better)