Many popular websites see what you type before you hit the submit button, 1844 websites collected the email address of an EU user

But on a major site ranked in the top 1000, users probably don’t expect to enter their information. According to a new study, a staggering number of websites collect some or all of user data as you enter it. An astonishing number of the top 100,000 websites have keyboard loggers that secretly record everything a user types into a form.

Des chercheurs de la KU Leuven, de l’université Radboud et de l’université de Lausanne ont exploré et analysé les 100 000 principaux sites web, en examinant les scénarios dans lesquels un utilisateur visite un site dans aux l’Unite europé aux site United State. They found that 1,844 sites harvested the email address of an EU user without consent, and 2,950 sites harvested the email address of a US user in some form. It appears that many sites do not intend to collect data, but integrate third-party marketing and analytics services that cause this behaviour.

In May 2021, after crawling websites for leaked passwords, the researchers also uncovered 52 websites that third parties, including Russian tech giant Yandex, had previously been collecting password data for transmission. The group reported its findings to those sites, and all 52 cases have since been resolved.

“If there is a submit button on a form, it is logical to expect it to do something that submits your data when it is clicked,” says Güneş Acar, professor and researcher in the group. Digital Security from Radboud University and one of the study leaders. “We were very surprised by these results. We thought we might find a few hundred websites where your email is collected before sending it, but this far exceeded our expectations.”

Top 10 websites where email addresses are leaked to tracking domains

The researchers, who will present their findings at the Usenix security conference in August, say they have been asked to investigate what they call “leak forms” by news reports, including from Gizmodo, about third parties collecting form data regardless of submission status. In essence, they noted, this behavior is similar to login bots, which are malware that records everything a target identifies.

As mentioned above, on a major site ranked in the top 1000, users may not expect to enter their information. In practice, the researchers found some difference in behavior. Some sites log data on a key-by-key basis, but many sites log complete submissions for one field when users click on the next.

“In some cases when you click on the next field, they collect the previous one, such as you click on the password field and collect email, or just click anywhere and immediately collect all the information,” says Asuman Senol, privacy and identity researcher at KU Leuven and one of the authors. study participants.” We did not expect to find thousands of sites; And in the US, the numbers are really high, which is interesting.”

Email Leaks – The Most Important Tracking Areas

According to the researchers, the regional differences may be related to companies being more careful about tracking users, and even the possibility of integrating with fewer third parties, due to the EU’s General Data Protection Regulation. But they point out that this is only a possibility, and that the study did not examine explanations for this disparity.

Through a major effort to notify websites and third parties that collect data in this way, researchers have found that one explanation for unexpected data collection may be related to the difficulty in distinguishing a “submit” action from other user actions on certain web pages. But the researchers note that this is not an appropriate rationale from a privacy perspective.

Since completing their research, the group has also made a discovery about Meta Pixel and TikTok Pixel, invisible marketing trackers that are built into their websites to track users around the web and show them ads. In their documentation, both claim that clients can enable “Advanced Automatic Matching”, which collects data when a user submits a form.

Password Leaks – The Most Important Tracking Areas

In practice, the researchers found that these tracking pixels captured hashed email addresses, a disguised version of email addresses used to identify Internet users across different platforms, before they were sent. For US users, 8,438 sites may have transferred data to Meta, Facebook’s parent company, through pixels, and 7,379 sites for European users may be affected. For TikTok Pixel, the group found 154 sites for US users and 147 for European users.

The researchers submitted an error report to Meta on March 25, and the company quickly hired an engineer for the case, but the group has heard nothing from them since. Researchers reported to TikTok on April 21 that they discovered TikTok’s behavior recently and received no response. “The privacy risk for users is that they will be tracked more effectively; they can be tracked across different websites, across different sessions, across mobile and desktop devices, says Acar. An email address is a useful identifier for tracking because it is global, unique, and persistent. No You can delete it just like you delete your cookies. It’s a very powerful identifier.”

Acar also notes that as tech companies seek to phase out cookie-based tracking to address privacy concerns, marketers and other analysts are increasingly relying on persistent identifiers such as phone numbers and email addresses.

Since the findings suggest that deleting data from a form before it’s submitted might not be enough to protect you from collection, the researchers created an extension for Firefox called LeakInspector to detect malicious forms. They hope their findings will raise awareness among Internet users, as well as website developers and administrators, who can proactively check whether their own systems or the third parties they use are collecting data in forms without consent.

Leaks to Meta (Facebook) and TikTok

Meta Pixel and TikTok Pixel both have a feature called Advanced AutoMatch that automatically collects hashed personal identifiers from web forms. The hashed personal identifiers are then used to target ads on the respective platforms, measure conversions, or create new custom audiences.

According to the Meta and TikTok documentation, advanced automatic matching should collect data when a user submits a form. Researchers say they have found that, contrary to what is claimed, Meta and TikTok Pixel collect hashed personal data when a user clicks on links or buttons that don’t look like a submit button. In fact, Meta and TikTok scripts don’t even attempt to recognize submit buttons or listen to (form) submit events. This means that Meta and TikTok Pixel collect hashed personal information, even when a user decides to abandon a form and click a button/link to leave the page.

Connect with Meta

The SubscribButtonClick event is triggered on each click, which causes a DPI to aggregate against the user’s intent. When advanced automatic matching is enabled, the SubscribButtonClick event is fired after almost any button or link on the page is clicked. This means that Meta Pixel collects hashed personal information, even when The user decides to abandon a form and clicks a button/link to leave the page.

According to its official page, advanced automatic matching should collect data when a user submits a form: “After a visitor clicks the submit button, the JavaScript pixel code automatically detects the relevant form fields and passes them to Facebook. Contrary to what is claimed, Meta Pixel collects hashed personal data when a user clicks on links or buttons that do not look like a submit button. In fact, the Meta JavaScript code in question doesn’t even attempt to recognize submit buttons, or listen for (form) submit events. (children’s website): Meta Pixel collects the hashed email address when the user closes the newsletter dialog. In this case, sharing the email address is the exact opposite of the user’s intent. Clicking on the Back, Terms of Service, or Privacy Policy links triggers the collection of the hashed email address and first and last (hashed) name. “We hope that you will recognize the discrepancy between the described behavior and the actual behavior of Advanced Auto Match, and take the necessary steps to resolve this issue.”

Similar contact was made with Tiktok

Source: KU Leuven

And you?

See also:

The activity of circulating cybercriminals and ransomware has decreased due to the conflict between Ukraine and Russia, but the number of Emote networks is increasing, according to Avast

The European Union declares war on end-to-end encryption and demands access to private messages on any platform, in the name of child protection

Fake and crypto scams increased in the first quarter of 2022, which are used to spread misinformation and access financial or personal information.

Organizations ill-equipped to deal with increased risk from third parties, 45% still use manual spreadsheets to assess risk

Leave a Comment