The autofill feature that comes with your browser could be compromising your security and opening the door to identity theft, according to researchers at Princeton University’s Center for Information Technology Policy.

The culprit is what researchers Gunes Acar, Steven Englehardt and Arvind Narayanan wrote on Dec. 27 is a “long-known vulnerability” in the built-in password managers that are common to nearly every web browser. Those utilities capture usernames and passwords in login forms on websites and save them for later reuse at the user’s option. But malicious third parties can use cross-site scripting attacks to insert invisible login forms that capture that information without the user knowing it.

At least two organizations have already done that. The researchers identified Paris-based AdThink Media SA and Warsaw, Poland-based OnAudience Ltd. as the owners of scripts that inject the invisible forms to capture email addresses and then send hashed versions of those addresses to remote servers. In one case, that information was also transmitted back to Acxiom Corp., a company that manages large consumer databases. The cross-scripting technology can also be used to capture passwords, researchers said, but they saw no evidence that any exploits had done so.

Email addresses can be used for a variety of user tracking purposes, even after users have cleared cookies and otherwise attempted to disguise their identity. Email harvesting also presents a security threat since email addresses are commonly used as usernames. By testing addresses in combination with commonly used passwords, attackers could potentially break into user accounts on other websites.

AdThink released a statement to The Verge denying that it shares data with Acxiom and asserting that the code was experimental and has been deleted.

The Princeton researchers said they identified the presence of identity-catching scripts on about 1,100 of the top 1 million sites listed on Alexa.com, an Amazon.com Inc. service that estimates website traffic. That equates to about one-tenth of 1 percent.

The vulnerability arises from a common web security practice called the Same Origin Policy, under which browsers treat all scripts coming from a single domain or website as originating from the same publisher. That means that if a publisher embeds a script on one page of a site, there’s nothing to prevent that script from launching itself on other pages.

“For example, if a user simultaneously has two tabs from the same site open — one containing a login form but no third party, and vice versa — then the third-party script can ‘reach across’ browser tabs and exfiltrate the login information under certain circumstances,” the researchers write. “By embedding a third-party [script] anywhere on its site, the publisher signals that it completely trusts the third party.”

Large and mature websites may have thousands of active but long-forgotten pages that contain scripts. Even if the scripts were originally harmless, the creators could potentially modify them to enable cross-scripting attacks. Publishers can limit damage by putting login forms on separate subdomains or using inline frames, which limit interaction between published page content and external forms.

Users can protect themselves by disabling autofill in their browsers or using ad blockers or tracking protection software. They can also use third-party password managers that don’t fill forms automatically. Keeper Security Inc. and AgileBits Inc. both posted assurances that their respective password managers don’t fill in forms without permission.

Image: Wikimedia Commons