The cool researchers over at freedom to tinker found two scripts that exploit browsers built in login managers to retrieve and exfiltrate ID’s.
Below is the email I sent, and the reply from OnAudience
The script that OnAudience uses can be found here
if you have time, check out this tweet thread between Carl and AntiSocial Engineer as they discuss the law vs what happens (or should happen) in reality.
It’s covered in a contract pre assessment. CMA is excused for corporate accounts and people’s personal lives are up for scrutiny – if they choose to share publicly! We would use that information as a criminal would. By its very setting, personal stuff ends up in the public arena.
— AntiSocial Engineer (@antisocial_eng) January 3, 2018
https://platform.twitter.com/widgets.js
Public domain has no legal consequence. It’s still your personal data. There is a legal limit to how far a company can go.
— Carl Gottlieb (@CarlGottlieb) January 3, 2018
https://platform.twitter.com/widgets.js
Carl mate cybercrime is a real issue, we’ve got some police not knowing the basics, thousands of victims a day loosing everything… you’re a clever bloke so why not see past this veil of InfoSec, GDPR hypotheticals and such and put your talents to proper use.
— AntiSocial Engineer (@antisocial_eng) January 3, 2018
Javvad Malik 