Browser Vulnerability that allows Theft of Saved Passwords

The Exploit


Security researchers have uncovered how marketing companies have started exploiting an 11-year-old bug in browsers’ built-in password managers, which allow them to secretly steal your email address for targeted advertising across different browsers and devices.


The major concern is that the same loophole could allow malicious actors to steal your saved usernames and passwords from browsers without requiring your interaction.


Every modern browser—Google Chrome, Safari, Mozilla Firefox, Opera or Microsoft Edge—today comes with a built-in easy-to-use password manager tool that allows you to save your login information for automatic form-filling.


Third-party tracking scripts found by researchers on these websites inject invisible login forms in the background of the webpage, tricking browser-based password managers into auto-filling the form using the saved user’s information.


How to protect your passwords

Disable the autofill function on your browser

-Use third-party password managers, like LastPass and 1Password. They are not prone to this attack, since they avoid auto-filling invisible forms and require user interaction as well.