Numerous reports for the last few days have implicated ad tracking companies like AudienceInsights accused of injecting hidden login forms within scripts hosted on over 1000 of the top million websites.Update : 1Password has responded by referring me to this blog post.
The scripts injected in advertising hosted on these sites prompts your web browser to supply your email address which is then hashed into a digital fingerprint that is used to track visits to other websites that unwittingly host the same scripts. This slightly unnerving practice highlights a security flaw that could compromise user accounts including login details and passwords.
This is a wake up call for users and website operators. Users should still be using password managers as secure and unique passwords are still very important but disabling autofill functions will go a long way to stopping this from being a problem. In addition using a browser plugin like Privacy Badger and NoScript can help boost security against trackers and other third parties.
Website operators should start to question who they are selling their visitors and customers to and re-evaluate their relationships with tracking companies. Blindly allowing third party code on your website is leaving the door open for things to go really wrong.
Industry leading password managers Lastpass and 1Password have been asked for comment on this exploit.