Recently, there’s been some excitement over the discovery that some sites are (ab)using browser password managers to identify users even when they’re not logged in.
This technique (I call it the “NameTag vulnerability”) isn’t new or novel, but the research showing that it’s broadly being used “in the wild” is certainly interesting1, and may motivate changes in password managers to combat the abuse.
Most browser password managers already protect against the NameTag vulnerability when you surf in the browsers’ Incognito or InPrivate modes. When IE11 shipped and accidentally removed the mitigation, I complained and it was silently patched. Similarly, we patched a version of this issue in Chrome 54.
Because users often wish to use the password manager even in while Incognito, the feature isn’t disabled, but instead enters a mode called “Fill on account select” (FOAS) whereby the user must manually select an account from a dropdown in order to fill the username and password. This helps prevent a site from silently identifying a user.
If you’d prefer to use the FOAS mode even when you’re not browsing in Incognito, you can enable this via a flag. Navigate to chrome://flags/#fill-on-account-select and change the setting to Enabled and restart.
To make a similar change in Firefox, navigate to about:config and change the signon.autofillForms setting to false.
Beyond the NameTag use-case, enabling FOAS can serve as a defense-in-depth against XSS attacks and similar vulnerabilities.
The Chrome team is discussing other potential mitigations in https://crbug.com/798492; feel free to “star” the issue to follow along.
Update: Chrome 65.0.3316 introduces a partial mitigation for this issue. Chrome has long had a feature called the PasswordValueGatekeeper that prevents JavaScript on a page from reading the .value property of an autofilled Password field until the user has interacted with the page in some way (a keystroke or mouse click). The Gatekeeper is designed to provide a (weak) mitigation against automated password harvesting attacks (e.g. in the event of a malicious router or UXSS vulnerability). In Chrome 65, the protection of the PasswordValueGatekeeper has been extended to also cover auto-filled Username fields, providing some mitigation against the threat described in this post. The FOAS option provides stronger protections but remains off-by-default.
-Eric
[1] Similarly, a recent study found that many sites also have third-party scripts that spy on users’ interactions with pages, something every developer knows is possible, but most humans never think about.
text/plain 