News: Ad targeters are pulling data from your browser’s password manager

XIIIXIII
edited January 2018 in Lounge

The Verge: Ad targeters are pulling data from your browser’s password manager

How can we protect our data against these scripts?

Comments

  • brentybrenty

    Team Member

    @wkleem: Those are great tools, but sadly most users will not have them installed, even if they know of them. iOS has some good content blockers, but I suspect most users have Safari's autofill enabled.

    All of this reminds me of something I found shopping recently:

    I was surprised to see this coming up again after almost exactly a year!

    @XIII: It's a little bit of a different spin this time, but this still doesn't have any impact on 1Password— perhaps less impact on 1Password users — since we not only tell customers to "Turn off the built-in password manager in your browser", but 1Password, by design, takes no action unless you, as the user, tell it to do so. So, unlike browser autofill features, which tend to squirt saved information into webforms without any interaction, 1Password will only save or fill information when you explicitly tell it to do so.

    So while it can certainly be convenient for stuff to get filled automatically (and many users ask us to make 1Password do that), we very deliberately have it not do that, and are pretty resistant to changing that behaviour, because we believe strongly that the sensitive information we all put in 1Password should only get out when we let it out. We have some additional information regarding this particular research as well in our knowledgebase:

    Princeton’s CITP Research

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • Yes, this helps. Thanks!

  • Thanks for the info. I’ll look at these add-ons

  • Stumbled upon a post for the second time last week.
    Like to share it here because this is exactly what we should avoid :-)

    Just to create some awareness and maybe start a good discussion on this.

    https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

    TLDR; 3rd party scripts use forms which are auto filled by browsers/plugins and use this information to profile/track users or steal their information.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • brentybrenty

    Team Member

    @wkleem: I don't believe 1Password is the default there, but they've built in our extension since they do not allow the user to install extensions. So everything I said above applies there too. 1Password is the same and so is the extension, only it is built into the browser rather than being something the users add themselves. Cheers! :)

  • brentybrenty

    Team Member

    @srcoder: I hope you don't mind, but I've merged your post with an existing discussion on this. There's some more info above, but the short version is that since 1Password only fills when and where you tell it to, it isn't affected. Definitely something to be aware of though if you're still using browser autofill. Cheers! :)

  • LarryMcJLarryMcJ Senior Member

    Since 1Password is mentioned in this recent article at BGR, thought I'd forward the URL in case you haven't seen it yet.

    http://bgr.com/2018/01/01/password-manager-security-issue-ad-trackers/


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • brentybrenty

    Team Member

    @LarryMcJ: I hope you don't mind, but I've merged you with an existing discussion on this topic. Please see above for more details. :)

  • LarryMcJLarryMcJ Senior Member

    Don't mind at all. In fact, I should have searched the forum before posting if this issue was already being discussed.

  • brentybrenty

    Team Member

    @LarryMcJ: Well, there's a lot of stuff to search. And it's not out of my way given I've seen it all today. hehe

  • LarryMcJLarryMcJ Senior Member

    I often read some interesting things at BGR, but they do occasionally post things a bit out of context. Or in this case, they failed to understand how 1Password works in this regard.

  • @brenty thanks for the merge, totally fine!
    I'm not able to browse the whole forum all the time , so :+1:

  • brentybrenty

    Team Member

    :chuffed::+1:

  • brentybrenty

    Team Member

    @LarryMcJ: I think the problem is that the phrase "browser-based password managers" is easily misconstrued. By "browser-based" it means literally the "password manager" which is built into the web browser, as opposed to those which are user-installed extensions. I supposed there may be some of those out there too which "autofill" when you load webpages, but 1Password doesn't do that by design.

  • LarryMcJLarryMcJ Senior Member
    edited January 2018

    I think you've hit the nail on the head. Too bad that some readers of the article will jump to the conclusion that 1Password autofills upon loading a webpage. Happy New Year!

  • brentybrenty

    Team Member

    Best we can do is help where we can. Happy new year! :)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Take a look at our latest blog post about this: 1Password keeps you safe by keeping you in the loop

    In short, the attack described relies on some password managers (not 1Password) automatically and silently filling web forms. 1Password is designed not to do that. Silently giving away your secrets is just not a good security design.

  • Catalin1PCatalin1P
    edited January 2018

    Isn't the above article similar to this https://www.howtogeek.com/338209/you-should-turn-off-autofill-in-your-password-manager/ ? It warns people to disable the autofill option. Good thing that 1Password uses fill on request, meaning I choose when and what 1Password fills for me after I click on the website inside my vault. Thank you guys for being one step ahead of the bad guys, I feel my vault is safe with you.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Thanks @Catalin1P. I hadn't seen that. (For what it's worth, most of the text of our blog post was composed over the weekend. And actually, I cribbed much of that from a forum comment I wrote in 2014.) The evils of automatic autofill have been known for a long while, and so the recommendation to disable it if you are using a password manager that offers it is going to be common advice.

    Thank you guys for being one step ahead of the bad guys, I feel my vault is safe with you.

    You are very welcome.

  • brentybrenty

    Team Member

    Worth linking again I think since I kind of buried it in my more verbose comments earlier:

    Turn off the built-in password manager in your browser

    That not only gives you more control over the security of your data by keeping it locked down in 1Password until you want to use it, but it also eliminates a lot of confusion ("Did I save that in the browser, or in 1Password?") as well as making it easier to access across multiple platforms by syncing. Cheers! :)

This discussion has been closed.