Posted On 13 Jun 2019
It appears that some advertising networks are now using tracking scripts to harvest the email addresses that your password manager enters into websites as part of the autofill function. That alone would be cause for concern, but it appears the same technology could be used to harvest your password as well. This applies to all password managers in browsers and browser extensions; users are advised to disable autofill functions to protect their information.
The way this happens is that certain third-party advertising scripts, which are present on virtually every website you visit, create invisible login/password boxes and prompts the autofill feature to fill them in, thereby gaining your password without you even knowing it.
This problem is not something that could happen, is something that is happening; around a thousand of the most popular million websites contain this vulnerability, according to experts. At present, it appears only to be used for harvesting usernames and emails, but the opportunity is there to use it to harvest passwords any time.
The best way of protecting yourself against the security threat is to make sure that you have a different password for every website to which you log in; if you do, the worst-case scenario is that somebody is able to log into a specific website in your name. If you use the same password for everything, once a third-party has your login to one website, they can gain access to your email, your bank accounts, and everything else you use the same password for.
Many of us have trouble remembering multiple passwords, so a good option is to use a password manager such as LastPass or 1Password that saves passwords for you; these managers have options to disable autofill either completely (in which case you would have to cut-and-paste usernames and passwords from the list contained in the manager) – the safest option but one which removes a lot of the convenience of a password manager – or partially, so that the manager only fills in details when prompted to by you, ensuring that you only give your details to that specific page.
Password managers are definitely preferable to using the autofill function in your browser; some browsers, like Microsoft Edge and Google Chrome, have no facility to disable autofill, while others like Firefox make it unnecessarily complicated. In the long run, hopefully, the creators of browsers and password managers will be wary of this threat and prevent autofill plastering your login on every webpage you visit, but for now, disabling autofill is definitely the safest option.