This weekend, headlines were made when research found new techniques used by advertisers. It’s a way for ad targeters to track you using your browser’s password manager. Two scripts—AdThink and OnAudience—obtain information that can identify you from autofill forms. Here’s how to turn off Safari autofill on macOS and iOS.
Which Password Managers?
1Password took to Twitter to reassure users, saying that the password manager is immune to these types of attacks.
Another popular manager, LastPass, hasn’t given any information (that I know of) about this attack. But these password managers tend to work similarly, so I’m guessing that it too isn’t affected.
The scripts work by injecting invisible login forms in the background of a website. When your browser automatically fills in data, it collects that information. It can be used as a persistent ID to track people throughout the web. While they largely focus on usernames, there is nothing stopping them from collecting passwords too.
Turn Off Safari Autofill
People who use third-party password managers aren’t affected. If you rely on iCloud Keychain, the scripts may end up collecting your data. But it’s easy to turn off autofill.
On your Mac, open Safari and go to Safari > Preferences. When the preferences box appears, click on the Autofill tab. Uncheck the box next to user names and passwords.
On your iPhone or iPad, go to Settings > Safari > Autofill. Turn off the switch next to Names and Passwords.
However, if you prefer to use iCloud Keychain instead of paying for a password manager, you can use an adblocker to prevent tracking by third-party scripts. The researchers note that the two domains used to serve the scripts (behavioralengine.com and audienceinsights.net) are blocked by the EasyPrivacy blocklist.