Your browser’s built-in password manager could be exploited to share your email address with advertisers without your permission.
All the major browsers include a free password manager (opens in new tab) that stores login data for future use. According to researchers from Princeton University, the trouble begins (opens in new tab) when you entered an email address in an online form and ask the browser to save it for future use, then visit another page containing a third-party tracking script. The script loads an invisible login form that your browser fills in automatically, then reads this data and sends it to the tracking company.
This time, it's personal
The email address itself isn’t necessarily what advertisers want – it’s the extra information connected to it. You use the same email address on multiple websites and devices, which means ad trackers can use it to join up pieces of information from across all your devices. This can build an alarmingly detailed profile including not only details like your location and birth date, but also sensitive information like your height, weight, health conditions and income.
Some companies don’t treat email addresses as personally identifying data if they’re hashed (turned into a random-looking series of numbers using a mathematical function) before being transmitted, but the Princeton researchers say that isn’t enough (opens in new tab). The domain is often left unhashed, and the hash for the rest of the address can be broken in seconds using a multi-core virtual machine that can be rented for pennies.
Disable your browser's password manager
The researchers have called on Microsoft, Google and Mozilla to implement a solution quickly, but if you're worried, you can switch off your browser's password manager in the meantime.
To disable the password manager in Chrome, go to chrome://settings, scroll down the page and click Advanced. Scroll down to 'Passwords and forms', 'Autofill settings' and toggle the top switch to 'Off'.
In Firefox, enter about:preferences in the address bar, click 'Privacy & security' and uncheck 'Remember logins and passwords for websites'. You can also clear any saved form data here.
If you're using Microsoft Edge, click the menu button at the top right, select 'Settings' and scroll down to 'View advanced settings'. Toggle the 'Offer to save passwords' switch to 'Off' and click 'Manage my saved passwords' to remove any that are already stored.
Via the Independent (opens in new tab)
- Which web browser is best for security? Check out our guide (opens in new tab)