Is the login page where the ad is displayed insecure?


by PhotoMIX-Company

There is always a risk of personal information being leaked , as user behavior is tracked on various websites. Web ads can track user behavior by using JavaScript, but is there any way to prevent personal information from being taken away if the ad is displayed on the login page? This question has been posted on the bulletin board / Information Security Stack Exchange and has become a hot topic.

web application-Can ads on a page read my password?-Information Security Stack Exchange https://security.stackexchange.com/questions/214784/can-ads-on-a-page-read-my-password



In June 2019, Google Chrome developer Gregg Man discovered that ads on the programming community StackOverflow use JavaScript to track user behavior.

Man opened the developer tools and noticed that the audio was about to be invoked with a debug message 'AudioContext not allowed'. When suspicious Man investigated, the script did not start audio, but the user's computer called an API to create a fingerprint. This allows the ad server to track users even if they block cookies.

Sneaky fingerprinting script in Microsoft ad slips onto StackOverflow, against site policy • The Register
https://www.theregister.co.uk/2019/06/27/sneaky_fingerprinting_microsoft_ad_sneaks_onto_stackoverflow_against_site_policy/



As you can see, ad publishers are often free to act, regardless of what they think about privacy. Since there is JavaScript that reads which key the user pressed, developer scohe001 says, `` If there is a text box to enter the user name / password in the header of the web page where the advertisement is displayed, the advertisement is there a way to prevent the reading of the? '' page if there is advertising on the login page do you may be thinking that there is no safety enough to enter your credentials? 'and information security Stack Exchange posted in .

In response, Mr. Benoit Esnard , developer of WEBEDIA , replied , 'There is nothing to prevent passwords from being read by advertisements.' Advertisements can read financial information, passwords, CSRF tokens, etc. through JavaScript. However, I said that this is not the case for sandboxed iframes.

Sandboxed iframes can restrict security to the JavaScript scope, and advertisements will not be able to violate user privacy. However, Esnard said that many websites do not use sandboxed iframes, as third-party scripts may not work properly.

Esnard says that as long as third-party scripts put your personal information at risk, you should use your own login form and purchase page. Another advantage of the same origin policy is that scripts running on the advertising origin cannot access anything on the protected origin .

in Security, Posted by darkhorse_log