How Advertisers Secretly Steal Your Login Details

Ever wondered why you those pesky adverts follow you around the internet after you have searched for something to buy online?

One reason is ad spammers are stealing your email address without you knowing with secret forms.

A team of web researchers have revealed that online advertisers harvest email address and search information when you autocomplete a form with your browser’s password manager.

The data can help the admen track you across the web and to build a profile of your online likes.

The team from America’s prestigious Princeton University have detected the code to harvest email addresses on more than a thousand high-traffic web sites.

Abusing the password manager

The code spoofs your browser password manager to populate an invisible form and to send the data to a database.

The researchers explained that the main fear was hackers stealing passwords from web sites – but no evidence of malicious code to grab online access code was found across 50,000 servers.

“All major browsers have built-in login managers that save and automatically fill in username and password data to make the login experience more seamless. The set of heuristics used to determine which login forms will be auto filled varies by browser, but the basic requirement is that a username and password field be available.

“Login form auto filling in general doesn’t require user interaction; all of the major browsers will autofill the username, which is often an email address, immediately, regardless of the visibility of the form,” said the researchers.

The offending web services

“Google Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested don’t require user interaction to autofill password fields.

“Third-party JavaScript can retrieve the saved credentials by creating a form with the username and password fields, which will then be auto filled by the login manager.”

The main script abusing password managers is Adthink – which was hiding on 1047 web sites under an web address. The other is OnAudience, which was on 63 sites as

The researchers suggest switching off automatic login is the best defence.

The scripts were found on a range of popular browsers, including Firefox, Chrome, Internet Explorer, Edge and Safari.

Click here for a full list of web sites with the tracking code