XF 1.5 Security Issue : Login manager autofill abuse for tracking

DavidXLD

Active member
Correct me if I'm wrong but not sure how this directly relates to XenForo?

Based on that article the issue relates to autofill of web browsers, where an advertising/tracking script you embed on your website could potentially sniff a previously autofill saved email address (hashed) via an invisible form.

The websites on that list include two advertising scripts: OnAudience (behavioralengine.com) and Adthink (audienceinsights.net)... so if your website is on the list, you could look at removing those advertising scripts from your website?

The demo on that article at least seems to suggest that:
NOTE: This approach is only possible when a third party has script access to the first-party domain. Thus, our third-party script is only able to recover the credentials you saved for this website (senglehardt.com). It is not possible for us to access credentials for other websites.
 
This issue is not really clear for me.
I thought that the login form in XenForo could be secured against that but maybe I am wrong.
The thing being very strange is that I do not that this script at all in my XenForo templates...
So I do not understand why my site is in this list :-(
David
 
Back
Top Bottom