First, a user fills out a login form on the page and asks the browser to save the login. The tracking script is not present on the login page . Then, the user visits another page on the same website which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers. You can test the attack yourself on our live demo page.Once again I say: the web would be better off if browsers had never added support for scripting. Many of the ads you see on legitimate websites today are effectively malware.
Gunes Acar, Steven Englehardt, and Arvind Narayanan: