
Can ads on a page read my password? - linux2647
https://security.stackexchange.com/questions/214784/can-ads-on-a-page-read-my-password
======
munk-a
I really wish awareness of this reached a wider audience, third party
advertising is a terrible blight on the web that has been allowed to grow and
fester - it supplies no value and compromises both browser security and our
peace of mind - being bombarded by these things constantly is training most of
us to ignore a lot more and focus on short focused bursts of information...

IMO (and this is really deep into opinion) this has slowly been contributing
to the lack of attention spans and un-inquisitive response most people have
when things on facebook just straight out tell lies. Web-advertising has such
a feeble value for the cost it's exacting.

~~~
kpU8efre7r
It does provide value though. As much as I hate it most people don't want to
pay for shit. So here we are.

~~~
munk-a
I strongly disagree. I used to work on a MUD, the monthly run costs for that
MUD came to $60. The MUD was free for anyone to play on - it had a website and
forums and a server application to connect to via telnet. The cost for this
came out of the fact that someone, somewhere needed to keep some servers
running, and we needed to keep DNS working, the name registered... all of
these ended up requiring three dedicated boxes which we got at a long term
discounted rate because we knew a guy in a server farm where we could park our
boxes.

Once upon a time it was a similar question if you wanted to run a hobbyist
website, you needed a dedicated box somewhere or maybe to fork out 15/mo for
some space on a shared host.

Now-a-days that MUD could easily run on the smallest cloud instance you could
find with one less server even for a total of 10/mo - if you want to run a
blog and tell the world about your intense interest in widget manufacturing
there are cheap ways to host it - if the content is standard enough you might
even be able to cut down the price to 10-20/yr.

It used to be that if you were so passionate about a topic you thought there
needed to be a website about it then... you'd start it and host it yourself,
it'd be an incidental cost that you'd just eat - then the mentality shifted to
the assumption that your hosting of this thing should be profitable to you -
you should get paid for maintaining such a site!

That's the real problem, people expect other people to pay for shit that
nobody would pay for - since no one steps up to the "so reasonable" 10/mo
subscription then ads are injected to make up for the "loss". If your site
isn't valuable enough to get subscribers that doesn't mean it shouldn't exist,
it just means that you should put up a donation page and treat any money you
get out as an unbelievably strong endorsement of your decision to fund the
existence of your little corner of the internet.

~~~
Apotheos
The company I work for has operating costs of $25MM+, we're a news site and
would love to not have ads, but that's where 99% of our revenue comes from.

We break stories on corruption, injustice, and all kinds of other content. I
think that running ads allowing us to do that would constitute as a benefit.

~~~
harry8
Sure but what we need is you to be able to be competitive serving ads
yourselves from your own domain. Ideally, showing the exact same ads to
everyone, just like a newspaper should.

It's not a criticism of you if you _can 't_ do that. It's where we need to be.
Nobody opted in for all this surveillance. And there does also seem to be a
_lot_ of fraud in online advertising. Get everyone's phones and home routers
running something like pi-hole and the whole advertising lanscape would change
for the better. Google would hate it, sure, but so what? You might find your
ads are more valuable too because seeing an ad in a genuine news source as
context has more influence on a potential purchaser than seeing the exact same
ad on john-does-racist-blog. Even if they are the exact same 2 eyeballs seeing
both copies of the same ad.

Ads, sure. We're all basically fine with ads per se. Just not the current
advertising arrangements involving reaming us with surveillance and all the
other nasties as well. Didn't agree to it, don't want it, will block it and
will prosletyse ad blocking.

~~~
dorgo
> We're all basically fine with ads per se.

Speak for yourself. I'm pretty allergic to ads - stopped watching tv, reading
newspapers etc. a decade ago. No way I accept ads on the web just because they
are in more traditional formats.

~~~
harry8
You are _fine_ with it by exercising your option to avoid them in the normal,
rational and informed manner. Don't like watching tv ads, don't watch
commerical tv. Done. Clear, obvious, simple, rational and all consent is
informed.

------
paulgb
Back before HTTPS was prevalent, as a proof of concept, I set up a DNS server
to redirect Google Analytics domains to an MITM server that added a keylogger
and added some HTTP headers to tell it to cache it as long as possible. The
result was a keylogger that persisted on most sites (anything with GA), even
after I connected to a non-compromised DNS server.

Fortunately this is no longer possible because of HTTPS, but I was able to
convince some big sites to switch to HTTPS because of it.

~~~
jjnoakes
How did you get clients to use your DNS server? Was it on a network where you
controlled the router, or did you set up a WiFi base station that folks
blindly connected to in public, or some other way?

~~~
pseudosavant
I'm pretty sure you could do it with just ARP spoofing/poisoning
([https://en.wikipedia.org/wiki/ARP_spoofing](https://en.wikipedia.org/wiki/ARP_spoofing)).
No need to control any other node on the network.

------
moltensodium
You can't browse the web securely if you're being served third party ads. I'm
not sure why this is considered acceptable and why the onus is always on the
user to find and report the "bad" ads that a site owner has no control over,
but it's really stupid.

I spent years browsing the web before there were any advertisements at all.
There is no need for this garbage despite how many Stanford grads tell you
it's totally necessary.

~~~
malms
> I'm not sure why this is considered acceptable

Because ads make money to all parties except the user.

------
Animats
Worse, "Google Backdoor" (a/k/a "Tag Manager") lets third parties inject
Javascript into your web pages. You can't even put Google's stuff into an
IFRAME to sandbox it.[1] The Evil Empire does not like to be contained.

[1] [https://adsense.googleblog.com/2011/06/clarifying-our-ad-
imp...](https://adsense.googleblog.com/2011/06/clarifying-our-ad-
implementation.html)

~~~
andrerm
And now Google staring its move against ad blockers by first restricting them
and then forbidding (they will deny). But it's for performance and speed
because ad blockers are so bloated /s. And if course Google can't do evil
because "Don't do evil" /s

------
reilly3000
That is the whole point of safe-frames, which are default in DFP.

>While SafeFrame shares information with ad content served to its API-enabled
iframe, the publisher chooses what to share and can protect sensitive consumer
information like personal email addresses, passwords, or even banking
information.

Docs for DFP:
[https://support.google.com/admanager/answer/6023110?hl=en](https://support.google.com/admanager/answer/6023110?hl=en)
Spec:
[https://www.iab.com/guidelines/safeframe/](https://www.iab.com/guidelines/safeframe/)

~~~
phkahler
Technical measures can not be required to cover security holes. The holes must
be closed. Otherwise it falls on users to audit all sorts of stuff they dont
understand - and by users you can include developers.

~~~
gridlockd
This is not really a security hole. It's the intended behavior. Web developers
(should) know that they are exposing all user behavior to the third-party code
they bring in. The solution is to "no do that", but developers tend to choose
convenience over safety, as do their clients, as do their clients users.

------
allana
Sounds like a great reason to block ads, if not all 3rd party scripts.

~~~
nixpulvis
The whole Web 2.0 is a mess. [https://nixpulvis.com/ramblings/2018-08-11-web-
shit-point-oh](https://nixpulvis.com/ramblings/2018-08-11-web-shit-point-oh)

~~~
allover
Even imagining a world in which all the major browser vendors had agreed to
constrain browsers to a pure HTML+CSS+flash-like-extension-free web, someone
would've eventually come out with a heavily funded 'next gen' browser with
their flash/silverlight equivalent, and we'd either be in proprietary-land, or
right back here with an open JS equivalent, post-backlash. Ship sailed and
always would have.

~~~
nixpulvis
And that's why we enlist regulators to protect the consumers. This isn't new,
you're right.

~~~
gridlockd
What are you gonna regulate here, ban third party code? Good luck with that.

~~~
nixpulvis
Why do you assume regulating = banning?

~~~
gridlockd
Well, what's the alternative then?

~~~
nixpulvis
Elect sane and involved policy makers to keep a watch on the market. Impose
regulations that make it harder to exploit the consumer, and hold those who
break these policies accountable.

I suppose the whole ban vs regulate issue is a matter of granularity.
Regulation does impose a set of banned practices, but it's not like you make
it out to be, where all 3rd party code would have to be banned.

The main issue is that we need to agree on what we are actually capable and
interested in protecting, in an insanely fast moving industry. This is why
motivated and educated policy makers are crucial to the problem. There's still
to this day no where near the level of discourse on this subject that's needed
happening in places with power to make a difference. Just like in the early
days of the gold rush, I'm sure you could find countless cases of criminal
shovel sellers.

But given the current ecosystem, this doesn't surprise me sadly. We (in the
US) are locking kids up without parents for crimes they didn't commit. I
suppose abusive or illegal ads aren't my biggest concern.

~~~
gridlockd
I'm sorry, I meant to ask: What's the alternative to banning third party JS?
What's the actual regulation that should be enforced here? Do we ban specific
behaviors of programs for third parties, but allow them for first parties?
Make businesses pay for all the auditing?

Let me just say: I don't know what harebrained regulation would come out of
this, but I'm pretty sure I don't want it.

> Elect sane and involved policy makers to keep a watch on the market.

That's not a solution, that's a fantasy scenario.

~~~
nixpulvis
I'd like to see restrictions to what terms of service can permit. For example,
it's one thing for me to be giving the 1st party some legal rights to collect
information about me, it's another thing to allow essentially untrusted 3rd
parties to collect as well. Some limits must be in place.

If this means some services are no longer viable because they can't make ad
revenue, then maybe that's a good thing. Nothing is free, and we still live in
the Wild West with companies getting away with monetizing our information
behind our backs to subsidize the service. It's one thing to "pay" me for the
time I watched your ad, it's another thing to "pay" me for a profile of my
activity on the site or sites, which has enough information, generally, to
uniquely identify me, and contains demographic and personal information
determined by black boxes.

My point here might simply be, if it's my information, I should be entitled to
know how it's actually being used.

But the first action I'd hoped to see is to make devices like the Amazon echo,
and google home illegal.

> Probably the clearest example of a place where there's a reasonable
> expectation of privacy is in the home. A person doesn't have to be a
> homeowner for the law to protect that expectation; tenants who rent their
> homes also have a protected right to privacy. Moreover, invasion of privacy
> doesn't just mean that someone physically enters a place where a person has
> a reasonable expectation of privacy. It can also happen if someone uses
> electronic equipment to monitor or record what someone is doing in the home.
> [1]

This also goes for guests of your home, so as far as I'm concerned, Amazon (or
my friend, or both) are/is breaking the law whenever I enter a home with one
of these things installed. The regulation should demand a Amazon (in this
example) to explicitly state how they are protecting my rights given the
presence of an active microphone in the home. As things stand they are
_clearly_ not respecting our privacy.

Even Apple, who makes a point about how "Hey Siri" works isn't completely off
the hook. I'd be interested in talking about Japan-esque laws requiring a
sound to be played when Siri is activated, much like how a shutter noise must
be played when a photo is taken.

The point here is, it's MY LIFE, I should at least know what's being done with
it.

1: [https://injury.findlaw.com/torts-and-personal-
injuries/what-...](https://injury.findlaw.com/torts-and-personal-
injuries/what-is-the--reasonable-expectation-of-privacy--.html)

~~~
gridlockd
> For example, it's one thing for me to be giving the 1st party some legal
> rights to collect information about me, it's another thing to allow
> essentially untrusted 3rd parties to collect as well. Some limits must be in
> place.

In other words, if I defer any part of my services to a third party, I cannot
do it anymore. Goodbye payment processing, fraud detection, spam/DDOS
protection... the list is endless. Advertising is the least concern here.

See, that's the difficulty with regulation, you need to be very careful what
is and isn't included. You don't want to accidentally prohibit crucial
services. You don't want to burden business with liabilities by being vague.
You don't want to leave too many loopholes or else your regulation does
nothing but cause administrative overhead.

If you have so much faith in politicians to do go good job here, by all means,
go out and lobby for this kind of regulation. Let's just say I don't share
your optimism.

> My point here might simply be, if it's my information, I should be entitled
> to know how it's actually being used.

If you don't like your information being used for pretty much any purpose,
don't give it to me. I can't preconceive of all the possible ways I am going
to handle your data. Maybe I want to switch web hosts, or maybe I want to back
it up somewhere else. Maybe I'm an idiot and I'll store it on a database with
no password, exposed to the internet.

> This also goes for guests of your home...

Not necessarily. Depending on where this takes place, if you enter my home, I
don't have to disclose that you're being video or voice monitored. Maybe _you
don 't like it that way_, but those are my rights trumping yours.

> I'd be interested in talking about Japan-esque laws requiring a sound to be
> played when Siri is activated, much like how a shutter noise must be played
> when a photo is taken.

This is a good example of a pointless law. Sure, the cameras make a "shutter
sound" when taking a photo, but they don't make a sound when recording video.
When Siri activates, it _does_ make sound, but if you want to activate it by
voice, clearly it needs to listen _all the time_ for the keyword (or whatever
sounds like the keyword). There's no way around that.

So, what are you going to do, require bright flashing lights on all
cameras/microphones?

------
JoshMnem
umatrix makes it easy to disable all JS or all 3rd party JS:

[https://addons.mozilla.org/en-
US/firefox/addon/umatrix/](https://addons.mozilla.org/en-
US/firefox/addon/umatrix/)

You can combine it with custom CSS through stylus:

[https://addons.mozilla.org/en-US/firefox/addon/styl-
us/](https://addons.mozilla.org/en-US/firefox/addon/styl-us/)

~~~
harry8
Do this. Do pi-hole too. But we shouldn't have to. If enough of us do maybe
they'll stop all this 3rd party crap.

It shouldn't be up to users to audit every damn 3rd party url to protect
themselves. You went to a single url the publisher of which should be
completely responsible both morally and legally for all content. The end.

~~~
gridlockd
> It shouldn't be up to users to audit every damn 3rd party url to protect
> themselves. You went to a single url the publisher of which should be
> completely responsible both morally and legally for all content. The end.

In other words, shut down all businesses that rely on third party
advertisement. Got it.

~~~
apexalpha
Businesses used to rely on pop-up ads too, before browsers started to ban
them.

If browsers ban JS in ads, HTML based ads will rise in value.

~~~
gridlockd
> If browsers ban JS in ads, HTML based ads will rise in value.

How are you going to detect what third-party JS is an ad? That's basically the
job of an ad blocker. Do you expect Google to ship an ad blocker that blocks
ads of its competitors? That'll be a great antitrust lawsuit.

------
ceejayoz
Capital One's site (which includes a login form) calls out to DoubleClick,
Facebook, New Relic, something terrifyingly vague called xg4ken.com, and about
a dozen other third parties.

One targeted compromise of _any_ of these scripts would be catastrophic.

~~~
gruez
>calls out to DoubleClick, Facebook, New Relic, something terrifyingly vague
called xg4ken.com, and about a dozen other third parties

Now imagine how many npm dependencies the backend or frontend has. How much do
you trust marwahaha, yyx990803, or sokra?

~~~
im3w1l
Script inclusion is worse because you can decide what you send depending on
ip, enabling targeted attacks. With NPM you will have to upload the malware
for all to see.

------
SilasX
Stupid question: why not make password-marked fields something that JS engines
simply can't read from? I imagine it would stop you from client-side warnings
of password insecurity, but is there a bigger problem?

~~~
ceejayoz
It would kill any site with an AJAX-based login.

Twitter, AirBnb, Facebook, Google, Apple...

~~~
bmm6o
Yeah, posting a form to login in is the exception nowadays.

------
ErikAugust
A founder of a “customer experience” service cold-messaged me once. I came in
to see more about what they were doing, and they interviewed me a bit.

As far as I could gather they provided a script to their customers that added
event listeners to everything on the DOM and sent it to their servers. As far
as I can tell, they were going fast and loose. They weren’t interested in me,
but I must say I wasn’t interested in them either.

------
BitwiseFool
I was already blocking ads via uBlock Origin, but now I may start blocking
third-party scripts by default.

~~~
munk-a
I switched into a block all scripts by default web stance a while back and am
continuously amused by how operable different sites are, some degrading
relatively gracefully, some just going white screen (usually SPA of some sort)
other sites go totally wonky when they find themselves unable to rewrite the
DOM and style rules to render the page as they want - sorta close to that old
occurrence when CSS would fail to download and you'd have a giant <ul> block
that was being restyled as a menu... but far more disappointing because there
is really no reason to push styling into JS and so many out-of-the-box
responsive style frameworks at this point.

~~~
ceejayoz
The really fun ones are the ones that work _better_ with the JS disabled.

~~~
OJFord
Best yet for me was 'client-side pricing' \- I increased basket 'weight', and
the web app neglected to correspondingly increase the price.

------
gridlockd
I would like to point out that, despite this arguably catastrophic situation,
it's not much of an issue in practice.

Stealing credentials through third party code is a relatively expensive
attack. It has to be engineered for a specific site and then it needs to pass
the auditing of the vector (i.e. the ad network, or the developers).

Once the attacker has achieved that, what do they get? The credentials for
most sites are worthless. Of course some users might use the same password on
multiple sites, but they had it coming.

Those sites that do have valuable credentials also have heightened security
measures. If your bank is serving you ads on the login screen, perhaps you
should use another bank.

------
ypcx
Running uBlock or similar is now a part of a basic web browsing hygiene.

There used to be starting projects which used cryptocurrency or some other
token system to allow you to "load" your browser with credits, which then
would get auto (or semi-auto) voluntarily distributed to the websites you
read, which support this mechanism. But I think they haven't caught on. But
essentially, I hope they come back.

In the mean time, I'm still waiting for a reasonable solution to block
advertising and tracking scripts on the mobile - as e.g. I think no sane (and
informed) person will use a closed source browser, e.g. Brave.

~~~
pllbnk
Assuming you are using Firefox on Android, you can use uBlock Origin or almost
any other extension as you would on desktop.

~~~
BrendanEich
uBO works on desktop Brave too (a lot of redundancy but it adds 1st party
blocking features) and we will keep it working, whereas Google seems intent on
breaking it with Manifest V3 extension API changes.

------
he0001
Regarding the answer: >It's worse than that. Web performance tools and similar
not only read your credentials but they read the credentials you type and then
delete. Very nasty. You might be able to get away with not typing, always
pasting your credentials. But the javascript has access to your DOM so it can
just read every element. The only way to stop that is not to use credentials
but to use oAuth and hand you life over to Google. What could go wrong.

What’s the technical explanation how OAuth is safe in this context? If the DOM
is accessible wouldn’t other things be accessible?

~~~
L3viathan
The authentication happens on a different site (the Google login site) then,
and you only get back a token. The worst the ad could do is steal your token
then, which will only be valid for a little while.

~~~
he0001
OTOH if it’s so easy to steal it, they could just steal the next one, not
needing any credentials at all. Or steal the refresh token?

------
LeonB
If you make sure that login/registration pages have no ads, that's not enough
to be secure.

One example: you've probably clicked the "login" (or register) link _from_ a
page that does have ads, and a malicious script could've hijacked that click
and presented you with a perfect replica of a login (or register) page, and
then captured your input. And I'm sure there are many other such tricks.

------
perl4ever
It occurred to me that I, and others, are trying to deal with advertising the
wrong way. It's a waste of time to try to filter out ads per page. There needs
to be a way to search pages without ads (without javascript ads anyway) and to
show pages without links to pages with ads.

------
croh
Sadly google/facebook/amazon only cares to increase speed and loading pages
fast. many new standards are being developed for this. but not about user
security as ads is their primary business.

------
londons_explore
Pick a random webpage with ads, right click, and "inspect element".

You will see the ad is rendered in a sandboxed iframe.

It's true that the ad-network can usually run in the context of the main page,
but the ad itself cannot.

The ad network is typically fairly trusted - they are profitable businesses
with a lot to lose to lawsuits if they store or leak your password.

It's the ad itself that you shouldn't trust - anyone with $1 can submit an ad.
And that's why it's sandboxed.

~~~
krageon
> a lot to lose to lawsuits if they store or leak your password.

This has been demonstrated to be wrong (see: every time there's malware on an
ad network).

~~~
londons_explore
There has been no instance of malware on an ad network (that I know of).

The malware has been in an ad creative, and those are sandboxed. The malware
has usually exploited weaknesses in the browser, but if there weren't browser
exploits, it still wouldn't get access to the host page.

Such browser exploits are getting harder to find with things like per-domain
processes isolation in Chromium based browsers.

~~~
krageon
The only thing creative here is the imagination that the ad network is not
responsible for the content it serves, though I recognise we may just have
fundamentally different outlooks on responsibility. If that is the case, I
feel like discussing it further is not going to help either one of us.

------
indigo62018
How about side channel attack (such as meltdown and spectre) from ads? Is it
possible?

~~~
zie
Normally yes, but most browsers have mitigations in place that prevent this
from happening, for some degree of prevent. But browser mitigations, plus OS
updates and Intel/AMD firwmare updates, for machines that stay up to date make
the specific Meltdown/Spectre attacks mostly not a thing in JS(in the
browser).

That said, Javascript(in browser) and Security are basically 100% opposites.
If you can execute JS in a browser, you can do whatever you want to that page
in the browser.

~~~
zzzcpan
There is a problem with mitigations in web browsers, the only practical
problem they are targeting is a hypothetical situation of a 3rd party script
running in a sandboxed iframe, but almost none of them do! They don't need
side channels to steal anything, they are not isolated. And the only
acceptable use for a sandboxed 3rd party iframe is to block it by default.

~~~
zie
Well, I was going to say more on the subject, but didn't want to get flamed by
JS lovers. I did say "If you can execute JS in a browser, you can do whatever
you want to that page in the browser."

I don't disagree with your point, but there is another perspective that the
mitigations aim to stop, which is cross-tab/window data gathering (and cross
process), which is most of the point of Spectre and friends anyways, which is
stealing data from some other process, not the process you are running under.
Stealing from your own process is easy. Stealing from another process is
supposed to be hard, and stealing from the kernel is supposed to be
impossible.

------
skygazer
Many years ago, I was a software architect at an online travel company.
Marketing kept asking me to approve third-party hosted tracking scripts
walking the DOM looking for tracking tags at every step on our purchase path.
I objected on the billing page, simply because I couldn't guarantee the safety
of credit card numbers and customer data, but said it would be okay if we
reviewed and hosted their js statically, but the third parties always refused.

Perhaps I overreacted, because at the time, the e-commerce industry didn't
seem to care about the risk. Do they now?

I hope OWASP/PCI/GDPR have since developed opinions about third party hosted
js on sensitive pages.

------
phkahler
So the solution is to disable JS?

~~~
mirimir
Basically, yes. I use NoScript, blocking everything by default. If a page
doesn't load, I enable stuff until it does. I've been doing this for years, so
I know what's generally needed.

But for Goodreads, I'd be hosed as soon as I allowed the site itself:

> In the case of goodreads, their HTML contains javascript from the ad
> provider. Specifically, lines 81-145 of the HTML document returned by
> [https://www.goodreads.com/](https://www.goodreads.com/) read:

However, it's more or less readable without allowing any scripts. So hey.

So was that a way to work around ad blockers?

------
musicale
TL;DR: yes.

They suggest mitigating this by putting ads in a sandboxed iframe (unlikely
and probably not foolproof) and not having ads on a login page, but ads can
probably still steal your credentials.

It should be obvious that loading untrusted third-party content compromises
security, but apparently that is unimportant to sites that use third-party
advertising services.

------
33Backpack33
Isn't most OS's now blocking read access to text fields labeled as "password"?
I'm pretty sure MacOS does this now.

~~~
saagarjha
Not in the browser.

