Thousands of popular websites see what you type before you hit submit

- Advertisement -


When you sign subscribe to a newsletter, book a hotel room, or apply online, you probably take it for granted that if you misspell your email address three times or change your mind and leave the page, it doesn’t matter. Nothing really happens until you hit the submit button, right? Well, maybe not. As with many other network assumptions, this is not always the case. new research: A surprising number of websites collect some or all of your data when you enter it digitally.

- Advertisement -

Researchers from KU Leuven, Radboud University and the University of Lausanne scanned and analyzed the top 100,000 websites by examining scenarios in which a user visits a site while in the European Union and visits a site from the US. They found that 1,844 websites were harvesting the email addresses of EU users without their consent, and a staggering 2,950 registered emails of US users in some form. Many of the sites do not appear to have the intention of logging data, but include third party marketing and analytics services that cause this behavior.

- Advertisement -

After specifically scanning sites for password leaks in May 2021, the researchers also found 52 websites where third parties, including Russian tech giant Yandex, accidentally collected password data before sending it. The group reported their findings to these sites and all 52 cases have since been resolved.

“If a form has a Submit button, it’s reasonable to expect it to do something — that it submit your data when you click on it,” says Gunesh Akar, a professor and researcher at the Digital Security Group at Radboud University and one of the leaders . research. “We were very surprised by these results. We thought we might find a few hundred websites where your email is collected before being sent, but this far exceeded our expectations.”

- Advertisement -

Researchers who will present time their findings at the Usenix security conference in August say they were inspired by media reports to investigate what they call “leaky forms” especially from Gizmodo, about third parties collecting form data, regardless of the status of the submission. They note that, in essence, the behavior is similar to the so-called keyloggers, which are usually malware which register all types of targets. But on a popular top 1000 site, users probably don’t expect their information to be encrypted. And in practice, the researchers saw several behaviors. Some sites logged keystroke after keystroke, but many got full data from one field as users clicked on the next.

“In some cases, when you click on the next field, they collect the previous one, for example, you click on the password field and they collect email, or you just click anywhere and they immediately collect all the information,” says Asuman Senol. , privacy specialist. and identity researcher at KU Leuven and one of the co-authors of the study. “We didn’t expect to find thousands of websites; and in the US the numbers are really high, which is interesting.”

The researchers say regional differences may be due to companies being more cautious about tracking users and even potentially integrating with fewer third parties due to the EU’s General Data Protection Regulation. But they emphasize that this is just one possibility, and the study did not look at explaining the discrepancy.

As a result of significant efforts to notify websites and third parties that collect data in this way, the researchers found that one explanation for the unexpected data collection may be related to the problem of differentiating the “submit” action from other user actions on certain websites. pages. But the researchers emphasize that, in terms of privacy, this is not a good enough justification.

Since their completion paper, the group also learned about the Meta Pixel and TikTok Pixel, invisible marketing trackers that services embed on their websites to track users online and serve them ads. Both have stated in their documentation that clients can enable “automatic extended matching” which triggers data collection when the user submits the form. However, in practice, the researchers found that these tracking pixels collected hashed email addresses, a hidden version of email addresses used to identify web users across platforms, before being sent. For US users, 8,438 sites could transmit data to Meta, Facebook’s parent company, via pixels, and 7,379 sites could be affected for EU users. For TikTok Pixel, the group found 154 sites for US users and 147 for EU users.

The researchers filed a bug report with Meta on March 25, and the company quickly assigned an engineer to the case, but the team hasn’t received an update since. The researchers notified TikTok on April 21 – they discovered TikTok’s behavior very recently – and received no response. Meta and TikTok did not immediately respond to WIRED’s request for comment on the results.

“The privacy risks for users are that they will be tracked even more effectively; they can be tracked across websites, across sessions, across mobile and desktop devices,” says Akar. “An email address is such a useful tracking identifier because it is global, unique, and persistent. You cannot clear it the way you clear cookies. It’s a very powerful identifier.”

Akar also notes that as tech companies look to phase out cookie-based tracking in deference to privacy, marketers and other analysts will increasingly rely on static identifiers such as phone numbers and email addresses.

Because the results show that deleting form data before submitting it may not be enough to protect yourself from all fees, the researchers created Firefox extension LeakInspector is called to detect a rogue form collection. And they say they hope their results will raise awareness of the issue, not only for regular Internet users, but also for website developers and administrators, who can check in advance whether their own systems or any third-party systems are collecting data from forms without consent.

Leaky forms are another type of data collection to be wary of in an already extremely crowded online field.

.


Credit: www.wired.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox