Researchers have spotted a sly new technique adopted by advertising companies to track web users that can’t be stopped by private browsing, clearing cookies or even changing devices.
The method, discovered by Princeton’s Center for Information Technology Policy, exploits the fact that many web users rely on the login managers built into browsers to autofill login details (email address and password) when they visit a familiar website.
Normally this is an innocent process, but on a small number of sites that have embedded either one of two tracking scripts – AdThink and OnAudience – the user is fed a second invisible login screen on a subsequent page that is autofilled by most browser password managers without the user realising this is happening.
At this point, the scripts capture a hashed version of the user’s email address, which is sent to one or more remote servers run by the advertising companies including, in the case of AdThink, large data broker Acxiom.
But what use is a hashed and therefore unusable email address? Quite simply:
Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier.
Email addresses don’t change often or at all, which means:
The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps.
The researchers speculate that tracking users via an email address identifier might even allow advertisers to join different browsing histories together even after cookies have been cleared.
This means that changing browsers, or devices, or even deleting cookies after every session would offer little protection as long as a user’s email address remains the same and is used regularly enough.
It sounds alarming, so let’s mention the technique’s limitations.
The first is simply that it is not common, with the two scripts being found on only 1,110 of the Alexa top one million websites.
The user must also be using a browser’s integrated login manager rather than a third-party platform such as LastPass, 1Password or Dashlane (which don’t autofill invisible forms), and importantly, to have entered their login information on the domain – just visiting isn’t enough.
It’s likely that browser script blockers such as Ghostery, NoScript or Privacy Badger would make short work of the scripts assuming they have been updated to add them to their list of invisible trackers.
The problem is that there will be plenty of internet users who continue to use browser login managers out of convenience, and who don’t run script blockers.
As the researchers point out, the underlying fault here is the Same Origin Policy model of web trust in which publishers either completely trust or mistrust third-parties.
When a script is embedded on a site by an ad partner the easiest option is simply to trust it because not doing so might limit its functions – even if that third-party script is capturing hashes of email addresses entered by customers.
For users, the latest discovery only adds to the strong sense that ad tracking is running out of control in ways that can be extremely hard to keep tabs on. Tracking can be mitigated to some extent but only if users understand such a thing is necessary in the first place.
Today, the default position is that users should take web tracking systems on trust. The discovery of AdThink and OnAudience suggests they need to become far warier.
5 comments on “Ad scripts track users via browser password managers”
I’m wondering if a simple fix might be updating the host file (Windows or Linux) to treat the domain name, website, etc used by these scripts as 127.0.0.1 or 0.0.0.0?
Redirecting FQDNs to 127.0.0.1 is a tried-and-tested hack for blocking downloads you don’t want…but it can be a labour of love in todays’ world of content delivery networks, alliances, affiliate networks and so on. The number of entries you need in your blocklist may be a lot larger than you first thought, and you may need to update it a lot. But for egregious offenders, why not try it and see how it works for you?
I use NoScript which would seem to block this technique but it is a constant effort. As sites add CDNs or other script locations I have to look at them and decide which ones to temporarily allow, permanently allow, and disable. I’m still willing to do this because I don’t look at a lot of new sites, usually the same ones on a regular basis, and NoScript is set up for them.
Good thing I use a different email for just about every site I have an account on!
How do we start a move to get organisations that use obsessive tracking viewed as pariahs?
We need to specify what is acceptable (to permit the basic operation of the site)?
We need to call out those who go beyond that
If a major corporation got called out for excessive privacy-busting tracking would they mend their ways and would others rapidly review what they did?