XF 1.5 Security Issue : Login manager autofill abuse for tracking

[DavidXLD]

Hello,

I have discovered that my website is in this list :
https://webtransparency.cs.princeton.edu/no_boundaries/autofill_sites.html

My website being XenForo only I am suprised that XenForo is not secured for this kind of security issues.
Here is the explanation about the issue :
https://freedom-to-tinker.com/2017/...-web-trackers-exploit-browser-login-managers/

Do you have already heard about that and is there an easy workaround for XenForo websites?

Thanks in advance

David

 

[Optic]

Correct me if I'm wrong but not sure how this directly relates to XenForo?

Based on that article the issue relates to autofill of web browsers, where an advertising/tracking script you embed on your website could potentially sniff a previously autofill saved email address (hashed) via an invisible form.

The websites on that list include two advertising scripts: OnAudience (behavioralengine.com) and Adthink (audienceinsights.net)... so if your website is on the list, you could look at removing those advertising scripts from your website?

The demo on that article at least seems to suggest that:

NOTE: This approach is only possible when a third party has script access to the first-party domain. Thus, our third-party script is only able to recover the credentials you saved for this website (senglehardt.com). It is not possible for us to access credentials for other websites.

 

[DavidXLD]

This issue is not really clear for me.
I thought that the login form in XenForo could be secured against that but maybe I am wrong.
The thing being very strange is that I do not that this script at all in my XenForo templates...
So I do not understand why my site is in this list :-(
David