|
|
|
|
|
|
by xg15
1795 days ago
|
|
|
I agree, the danger of password theft seems rather low, but I wonder if this mechanism could be abused for tracking. Imagine you're Facebook and you want to track your users on non-Facebook sites. Traditionally, this would be done with some iframe-embedded widget and 3rd-party cookies. But browsers are increasingly phasing out 3rd-party cookies, so that won't work anymore in the near future. As an alternative, the widget could embed a username and password field. When the browser autofills the field, a script sends the credentials to Facebook, along with the site's URL. The account can be linked up without any cookies involved. (This makes some assumptions I haven't verified: That autofill works in 3rd-party iframes and that the user gesture can be outside the iframe) In more limited scope, this works for first-party cookies as well: If you logged out of a site and cleared your cookies, the site could use the autofilled credentials to associate your guest session with your account even without you actively logging in. |
|
|