The online advertising industry is facing a new privacy row amid claims that brands are being offered personal data from browser password managers – captured without permission – as a means of boosting their ad targeting.
Nearly every web browser – Google Chrome, Firefox and Safari – now includes a password manager tool, which securely stores usernames and passwords so consumers do not have to memorise them.
When users visit a website with a saved username and password, the browser automatically fills the details into the login form through the “autofill” feature.
But new research from cyber security experts at Princeton University, New Jersey, claims advertisers are able to access the information stored within these managers.
At least two organisations have already been fingered. The researchers identified Paris-based AdThink Media and Warsaw-based OnAudience as the owners of scripts that inject the invisible forms to capture email addresses and then send hashed versions of those addresses to remote servers.
In one highly embarrassing case, it is alleged that this information was also transmitted back to data giant Acxiom. However, AdThink has refuted the claim, insisting that the code was experimental and has been deleted.
Email addresses can be used for a variety of user tracking purposes, even after users have cleared cookies and otherwise attempted to disguise their identity. So-called “email harvesting” also presents a security threat since email addresses are commonly used as usernames. By testing addresses in combination with commonly used passwords, attackers could potentially break into user accounts on other websites.
The only secure fix would be to change how password managers work, requiring explicit consent from plugins before giving out user information.
Professor Arvind Narayanan, a Princeton computer science researcher who worked on the project, said most of the blame should be placed on websites who choose to run plugins like AdThink without realising how invasive they are.
He added: “It won’t be easy to fix, but it’s worth doing. We’d like to see publishers exercise better control over third parties on their sites.”
Illegal data being sold on industrial scale for just 4p
Brands warned as lax data checks spark £130k fine
Online bodies unite in bid to tackle digital ad mess
New IAB chief vows to tackle digital issues head-on
Big issues to tackle in 2017: online ad effectiveness
IAB insists it is winning the war on online ad issues