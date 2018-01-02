There are a few things you'll hear in every conversation about internet security; one of the first ones would be to use a password manager. I've said it, most of my coworkers have said it, and chances are you've said it while helping someone else sort out ways to keep their data safe and sound. It's still good advice, but a recent study from Princeton University's Center for Information Technology Policy has found that the password manager in your web browser you might use to keep your information private is also helping ad companies track you across the web.

It's a frightening scenario from all sides, mostly because it's not going to be easy to fix. What's happening isn't the stealing of any credentials — an ad company doesn't want your username and password — but the behavior a password manager uses is being exploited in a very simple way. An ad company places a script on a page (two called out by name are AdThink and OnAudience) that acts as a login form. It's not a real login form, as in it's not going to connect you to any service, it's "just" a login script.

When your password manager sees a login form, it enters a username. Browsers tested were: Firefox, Chrome, Internet Explorer, Edge, and Safari. Chrome, for example, will not enter the password until the user interacts with the form, but it enters a username automatically. That's fine because that is all the script wants or needs. Other browsers behaved the same, as expected.

Once your username is entered, it and your browser ID are hashed into a unique identifier. You don't need to save anything on your computer or phone because the next time you visit a site that is using the same ad company you get another script acting as a login form and your username is once again entered. The data is compared to what's on file, and et voilà a unique identifier has been attached to you and can be (and is being) used to track you across the web. And this works because this is expected and "trusted" behavior. Besides a roadmap of your internet habits, data found to be attached to this UUID also includes browser plugins, MIME types, screen dimensions, language, timezone information, user agent string, OS information, and CPU information.