News: Ad targeters are pulling data from your browser’s password manager

XIII
XIII
Community Member
edited January 2018 in Lounge

The Verge: Ad targeters are pulling data from your browser’s password manager

How can we protect our data against these scripts?

Comments

  • wkleem
    wkleem
    Community Member

    @XIII,

    Depending whether you are using Chrome or Firefox, Chrome has uMatrix to block scripts while Firefox has uMatrix and NoScript. It's tricky to learn uMatrix and I am still at Firefox 52 ESR and haven't moved on to Firefox 57. There is NoScript v5.1 for ESR and NoScript 10 for Firefox Quantum.

    I am in Chrome, mostly.

    With regard to mobile, there are little such extensions in iOS/Android so uMatrix won't help there.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wkleem: Those are great tools, but sadly most users will not have them installed, even if they know of them. iOS has some good content blockers, but I suspect most users have Safari's autofill enabled.

    All of this reminds me of something I found shopping recently:

    I was surprised to see this coming up again after almost exactly a year!

    @XIII: It's a little bit of a different spin this time, but this still doesn't have any impact on 1Password— perhaps less impact on 1Password users — since we not only tell customers to "Turn off the built-in password manager in your browser", but 1Password, by design, takes no action unless you, as the user, tell it to do so. So, unlike browser autofill features, which tend to squirt saved information into webforms without any interaction, 1Password will only save or fill information when you explicitly tell it to do so.

    So while it can certainly be convenient for stuff to get filled automatically (and many users ask us to make 1Password do that), we very deliberately have it not do that, and are pretty resistant to changing that behaviour, because we believe strongly that the sensitive information we all put in 1Password should only get out when we let it out. We have some additional information regarding this particular research as well in our knowledgebase:

    Princeton’s CITP Research

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • XIII
    XIII
    Community Member

    Yes, this helps. Thanks!

  • wkleem
    wkleem
    Community Member
    edited January 2018

    There had been a conflict previously reported between 1Password, Duo and NoScript in Firefox.

    I have not attempted to verify if the issue has been solved but it is something to be aware of. With regards to allowing scripts to run (or block them).

  • prime
    prime
    Community Member

    Thanks for the info. I’ll look at these add-ons

  • wkleem
    wkleem
    Community Member

    Brenty,

    Although it is probably outside the scope of the researchers, the browser Brave has 1Password as its default password manager. How will the findings affect Brave and 1Password?

  • srcoder
    srcoder
    Community Member

    Stumbled upon a post for the second time last week.
    Like to share it here because this is exactly what we should avoid :-)

    Just to create some awareness and maybe start a good discussion on this.

    https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

    TLDR; 3rd party scripts use forms which are auto filled by browsers/plugins and use this information to profile/track users or steal their information.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wkleem: I don't believe 1Password is the default there, but they've built in our extension since they do not allow the user to install extensions. So everything I said above applies there too. 1Password is the same and so is the extension, only it is built into the browser rather than being something the users add themselves. Cheers! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @srcoder: I hope you don't mind, but I've merged your post with an existing discussion on this. There's some more info above, but the short version is that since 1Password only fills when and where you tell it to, it isn't affected. Definitely something to be aware of though if you're still using browser autofill. Cheers! :)

  • LarryMcJ
    LarryMcJ
    Community Member

    Since 1Password is mentioned in this recent article at BGR, thought I'd forward the URL in case you haven't seen it yet.

    http://bgr.com/2018/01/01/password-manager-security-issue-ad-trackers/


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • AGAlumB
    AGAlumB
    1Password Alumni

    @LarryMcJ: I hope you don't mind, but I've merged you with an existing discussion on this topic. Please see above for more details. :)

  • LarryMcJ
    LarryMcJ
    Community Member

    Don't mind at all. In fact, I should have searched the forum before posting if this issue was already being discussed.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @LarryMcJ: Well, there's a lot of stuff to search. And it's not out of my way given I've seen it all today. hehe

  • LarryMcJ
    LarryMcJ
    Community Member

    I often read some interesting things at BGR, but they do occasionally post things a bit out of context. Or in this case, they failed to understand how 1Password works in this regard.

  • srcoder
    srcoder
    Community Member

    @brenty thanks for the merge, totally fine!
    I'm not able to browse the whole forum all the time , so :+1:

  • AGAlumB
    AGAlumB
    1Password Alumni

    :chuffed: :+1:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @LarryMcJ: I think the problem is that the phrase "browser-based password managers" is easily misconstrued. By "browser-based" it means literally the "password manager" which is built into the web browser, as opposed to those which are user-installed extensions. I supposed there may be some of those out there too which "autofill" when you load webpages, but 1Password doesn't do that by design.

  • LarryMcJ
    LarryMcJ
    Community Member
    edited January 2018

    I think you've hit the nail on the head. Too bad that some readers of the article will jump to the conclusion that 1Password autofills upon loading a webpage. Happy New Year!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Best we can do is help where we can. Happy new year! :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Take a look at our latest blog post about this: 1Password keeps you safe by keeping you in the loop

    In short, the attack described relies on some password managers (not 1Password) automatically and silently filling web forms. 1Password is designed not to do that. Silently giving away your secrets is just not a good security design.

  • Catalin1P
    Catalin1P
    Community Member
    edited January 2018

    Isn't the above article similar to this https://www.howtogeek.com/338209/you-should-turn-off-autofill-in-your-password-manager/ ? It warns people to disable the autofill option. Good thing that 1Password uses fill on request, meaning I choose when and what 1Password fills for me after I click on the website inside my vault. Thank you guys for being one step ahead of the bad guys, I feel my vault is safe with you.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thanks @Catalin1P. I hadn't seen that. (For what it's worth, most of the text of our blog post was composed over the weekend. And actually, I cribbed much of that from a forum comment I wrote in 2014.) The evils of automatic autofill have been known for a long while, and so the recommendation to disable it if you are using a password manager that offers it is going to be common advice.

    Thank you guys for being one step ahead of the bad guys, I feel my vault is safe with you.

    You are very welcome.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Worth linking again I think since I kind of buried it in my more verbose comments earlier:

    Turn off the built-in password manager in your browser

    That not only gives you more control over the security of your data by keeping it locked down in 1Password until you want to use it, but it also eliminates a lot of confusion ("Did I save that in the browser, or in 1Password?") as well as making it easier to access across multiple platforms by syncing. Cheers! :)

This discussion has been closed.