Advertisers have found a new way to track you. According to Freedom to Tinker, a few ad networks are now abusing tracking scripts to capture the email addresses that your password manager auto-fills on websites.
But it gets worse: they could use that tech to capture your passwords too, if they wanted. This affects everyone using a password manager, whether it’s a built-in password manager like the one in Chrome, Firefox, or Edge, or a browser extension like LastPass. As a result, you should probably disable the autofill feature to prevent this from happening.
How Autofill Is Leaking Your Information
When you save your username and password on a website, your password manager remembers them. From that point forward, it will attempt to automatically fill them into username and password boxes it sees on that website. This makes signing in faster, as you just have to click “Login”.
But some third-party advertising scripts—the ones that nearly every website out there uses—are starting to use these to track you. They run in the background, create fake login and password boxes you can’t even see, and captures the credentials your password manager fills into them.
You can see this problem for yourself by visiting this demonstration page. Fill in a fake email address and password, and you’ll be prompted to save it in your browser’s password manager. Continue, and it will be autofilled in the background, with the script capturing the email address and password.
This demonstration site doesn’t currently show any problem if you use LastPass, but anything that automatically fills usernames and passwords with no user intervention—LastPass included—is theoretically vulnerable.
You Need Unique Passwords Everywhere, So Password Managers Are Still Essential
This problem demonstrates the importance of using unique passwords on every website. It’s not just a theoretical attack—it’s actually being used by advertisers on 1110 of the top one million websites today, according to Freedom to Tinker. Advertisers are currently just using this technique to capture usernames and email addresses, but there’s nothing stopping them from capturing passwords as well, if one was in a particularly nefarious mood someday.
If an advertiser did capture your password on a website, the worst someone with that data could do is sign into that website. That’s not ideal, but it’s not the worst thing that could happen. if you use the same password for that website as you do for your email account, that person could then access your email account and use it to gain access to your other accounts. That’s the worst that could happen.
This is why we still recommend using a password manager, no matter what. With all the different accounts the average person has online, and the frequency of attacks against these websites, it’s imperative that you use a unique password for every site you visit. The best way to do that is with a password manager—don’t throw the baby out with the bathwater.
Protect Yourself By Disabling Autofill
However, you can still mitigate some of your risk from these scripts by disabling autofill in your password manager. For example, if you use LastPass (which is not currently affected by these scripts, but theoretically could be), the autofill feature fills login fields with your credentials so you can just click “Login”. If you disable the autofill feature, you’ll have to click the LastPass icon in a password field and click your username to fill your saved information. You’ll only do this when trying to sign in, so this should protect your credentials from being scooped up. You’re no longer spraying them all over every page.
You could also just copy-and-paste usernames and passwords from your password manager of choice, and that would make you even safer—but significantly less convenient. We think choosing to manually initiate autofill only on login pages should be a good middle ground between security and convenience. If those login pages were compromised with such a script, nothing could help you, anyway—the script could read your login details even if you copy-and-pasted or manually typed them in.
Unfortunately, most browser password managers don’t allow you to disable autofill. There’s no way to disable the autofill feature if you’re using the integrated password manager in Google Chrome or Microsoft Edge, for example. Chrome does have an option to disable autofill, but it only disables autofill of data like addresses and phone numbers, not passwords. There is an option to disable autofill of passwords in Mozilla Firefox’s password manager, but it’s hidden in about:config.
If you’re using the built-in password manager in Chrome or Edge, we encourage you to switch to a third-party password manager that offers more control, like LastPass or 1Password. 1Password isn’t affected by this problem because it doesn’t include an automatic autofill feature.
In LastPass, you can disable autofill by clicking the LastPass extension button on your browser toolbar and clicking “Preferences”. Uncheck the “Automatically Fill Login Information” option under General and then click “Save” to save your changes.
If you want to keep using Firefox’s password manager, you should type “about:config” into Firefox’s address bar and press Enter. You’ll see a warning screen informing you that changing various settings here could cause problems. Don’t worry—if you just change the single setting we point out, you’ll be fine. Click “I accept the risk!” to continue.
Type “autofillForms” into the search box and double-click the “signon.autofillForms” preference to set it to “false”. Firefox will no longer autofill usernames and passwords without your permission.
If you’re using another password manager, you should open its preferences and disable the “autofill” or “automatically fill” option to ensure your password manager won’t leak your personal information.
Browser and password manager developers need to rethink password managers to make them more secure. They shouldn’t try to automatically fill your login data on every single web page you visit on a particular website. That’s just asking for trouble. But, for now, you can disable autofill to make yourself more secure.