The password managers built into popular browsers like Google Chrome and Mozilla Firefox can be exploited by a third-party script embedded into a page, and potentially give third parties users’ passwords, if they manage to sneak such a script into a given page. An example script is hosted by tech blog Freedom To Tinker where the webmaster has set up a demo page that asks users for a fake email address and password, and can then sniff those details using the script in question and show them to the user on the page. This exploit works across a range of browsers with very little variation.
The exploit can steal passwords, but across a sample of 50,000 sites, none were found to be doing that. Instead, users were being tracked on many of these sites, with unique tracking data being collected and sent to unknown parties. This particular script is just one example of all of the possible ways that browsers’ built-in password managers can be exploited, though it should be noted that it and many others don’t affect third-party password managers. 1Password, for example, specifically blocks this type of attack by only filling in email and password fields when a user asks it to, rather than filling them in automatically upon a page loading. Thus far, most consumer-grade browsers have been reluctant to implement similar behaviors, leaving them vulnerable to scripts like this one.
Password security is one of the most important ways for users to protect themselves on the modern internet, and being aware of security risks like this one is a big part of that. There are many other ways that a user’s data can be compromised. This script attacks browser password managers on a fairly deep level, which means that there could be other scripts out there that act in a similar fashion. There are numerous exploits for Windows, Linux, Mac, and mobile devices that use system software vulnerabilities in tandem with special software that can be pushed on a user unwittingly or bundled with software that a user actually wants. Even with users becoming more aware of security risks online and software and hardware makers bolstering security on their end, users should keep in mind that there is no way to ever truly be completely safe.
