Many Popular Websites See What You Type Before You Hit the Submit Button, 1,844 Websites Collected EU User’s Email Address

But on a mainstream site ranked in the top 1000, users probably don’t expect their information to be keyed in. According to a new study, a surprising number of websites collect some or all of user data as they enter it. A surprising number of the top 100,000 websites have keyloggers that secretly record everything a user types into a form.

Researchers from KU Leuven, Radboud University and the University of Lausanne explored and analyzed the top 100,000 websites, examining the scenarios in which a user visits a site in the European Union and a site in United States. They found that 1,844 websites harvested an EU user’s email address without consent, and 2,950 websites logged a US user’s email address in some form. It seems that many sites do not intend to collect data, but integrate third-party marketing and analytics services that cause this behavior.

In May 2021, after crawling sites for leaked passwords, researchers also uncovered 52 websites where third parties, including Russian tech giant Yandex, had been collecting password data before. to send them. The group reported its findings to those sites, and all 52 cases have since been resolved.

“If there is a submit button on a form, it can reasonably be expected to do something that it submits your data when you click on it,” says Güneş Acar, a professor and researcher with the group. Digital Security from Radboud University and one of the study’s leaders. “We were very surprised by these results. We thought we might find a few hundred websites where your email is collected before you submit it, but this far exceeded our expectations. »

Top ten websites where email addresses are leaked to tracker domains

The researchers, who will present their findings at the Usenix security conference in August, say they were prompted to investigate what they call “leak forms” by news reports, including from Gizmodo, about third parties collecting form data regardless of submission status. They point out that at its core, this behavior is similar to keyloggers, which are typically malicious programs that record everything a target types.

As noted above, on a mainstream site ranked in the top 1000, users probably don’t expect their information to be keyed in. In practice, the researchers found some variation in behavior. Some sites logged data on a key-by-key basis, but many sites captured full submissions of one field when users clicked on the next.

“In some cases when you click on the next field they collect the previous one, like you click on the password field and they collect the email, or you just click anywhere and they collect all the information immediately says Asuman Senol, a privacy and identity researcher at KU Leuven and one of the study’s co-authors. “We didn’t expect to find thousands of websites; and in the US the numbers are really high, which is interesting.”

Email Leaks – Top Tracking Domains

According to the researchers, the regional differences may be related to companies being more careful about tracking users, and even potentially integrating with fewer third parties, due to the EU’s General Data Protection Regulation. They point out, however, that this is only a possibility, and that the study did not examine the explanations for this disparity.

Through a substantial effort to notify websites and third parties collecting data in this way, researchers have found that one explanation for the unexpected data collection may be related to the difficulty of differentiating a “submit” action from other user actions on certain web pages. But the researchers point out that, from a privacy perspective, this is not an adequate justification.

Since completing their paper, the group has also made a discovery about Meta Pixel and TikTok Pixel, invisible marketing trackers that services embed on their websites to track users around the web and show them ads. In their documentation, both claim that customers can enable “advanced auto-matching,” which triggers data collection when a user submits a form.

Password Leaks – Top Tracking Domains

In practice, however, the researchers found that these tracking pixels captured hashed email addresses, a masked version of email addresses used to identify internet users across the various platforms, before they were sent. For US users, 8,438 sites may have transmitted data to Meta, Facebook’s parent company, through pixels, and 7,379 sites may be affected for European users. For TikTok Pixel, the group found 154 sites for US users and 147 for European users.

The researchers filed a bug report with Meta on March 25, and the company quickly assigned an engineer to the case, but the group hasn’t heard from them since. Researchers notified TikTok on April 21 they discovered TikTok’s behavior more recently and have not heard back. “The privacy risks for users are that they will be tracked even more effectively; they can be tracked across different websites, across different sessions, across mobile and desktop, says Acar. An email address is such a useful identifier for tracking because it is global, unique, and constant. You cannot delete it like you delete your cookies. It is a very powerful identifier. »

Acar also points out that as tech companies seek to phase out cookie-based tracking to address privacy concerns, marketers and other analysts are increasingly relying on static identifiers such as phone numbers and email addresses.

Since the results indicate that deleting data from a form before submitting it may not be enough to protect you from being collected, the researchers created a Firefox extension called LeakInspector to detect malicious forms. They hope their results will raise awareness among Internet users, but also website developers and administrators, who can proactively check whether their own systems or the third parties they use collect data in forms without consent.

Fuites vers Meta (Facebook) & TikTok

Meta Pixel and TikTok Pixel both have a feature called Automatic Advanced Matching that automatically collects hashed personal IDs from web forms. The hashed personal identifiers are then used to target advertisements on the respective platforms, measure conversions or create new custom audiences.

According to documentation from Meta, and TikTok, Advanced Auto Match should trigger data collection when a user submits a form. The researchers say they found that, contrary to what is claimed, Meta and TikTok Pixel collect hashed personal data when the user clicks on links or buttons that look nothing like a submit button. In fact, Meta and TikTok scripts don’t even try to recognize submit buttons or listen for (form) submit events. This means that Meta and TikTok Pixel collect hashed personal information, even when a user decides to abandon a form and clicks a button/link to leave the page.

Communication to Meta

“The SubscribedButtonClick event fires on every click, causing DPI to be collected against the user’s intent. When advanced auto-matching is enabled, the SubscribedButtonClick event is fired after clicking almost any button or link on a page. This means that Meta Pixel collects hashed personal information, even when a user decides to abandon a form and clicks a button/link to leave the page.

“According to its official page, Advanced Auto Match should trigger data collection when a user submits a form: “After the visitor clicks submit, the pixel’s JavaScript code automatically detects and passes relevant form fields to Facebook . Contrary to what is claimed, Meta Pixel collects hashed personal data when the user clicks on links or buttons that look nothing like a submit button. In fact, the Meta JavaScript code in question doesn’t even try to recognize submit buttons, or listen for (form) submit events. (a children’s website): Meta Pixel collects the hashed email address when the user closes the newsletter dialog. In this case, sharing the email address is the exact opposite of the user’s intent. clicking on the “Back”, “Terms of Service” or “Privacy Policy” links triggers the collection of the hashed email address and the first and last name (hashed). “We hope you will recognize the discrepancy between the described behavior and the actual behavior of Advanced Auto Match, and take the necessary steps to resolve this issue. »

A similar communication was made with Tiktok

Source: KU Leuven

And you?

See as well :

Cybercriminal activity and ransomware in circulation are down due to the Ukraine-Russia conflict, but the number of Emotet botnets is on the rise, according to Avast

EU declares war on end-to-end encryption and demands access to private messages on any platform, in the name of child protection

Deepfake and crypto scams increased in Q1 2022, used to spread misinformation and access financial or personal information

Organizations not equipped to deal with increasing third-party risk, 45% still use manual spreadsheets to assess risk