Many common web sites see what you sort earlier than you press the submit button, 1844 collected web sites E-mail addresses of customers within the EU


But on the main page, which is ranked among the top 1000, users probably do not expect their information to be entered. According to a new study, a surprising number of websites collect some or all of their user data as they enter it. A surprising number of the top 100,000 websites have keyloggers that secretly record everything a user enters into a form.

Researchers from KU Leuven, Radboud University and the University of Lausanne researched and analyzed the 100,000 best websites, examining scenarios in which a user visits a page in the European Union and a page in the United States. They found that 1,844 websites collected the email address of EU users without consent, and 2,950 websites reported the email address of US users in some form. Many sites do not appear to intend to collect data, but integrate third-party marketing and analytics services that cause this behavior.

In May 2021, after searching websites for leaks, researchers also discovered 52 websites where third parties, including Russian technology giant Yandex, had previously collected password data to send them. The group reported its findings to those sites, and all 52 cases have since been resolved.

“If there’s a submit button on the form, you can reasonably be expected to do something to send your data when you click on it,” says Güneş Acar, a professor and researcher in the group. Digital Security from Radboud University and one study leader. “We were very surprised by these results. We thought we could find a few hundred sites to collect your email before you send it, but this far exceeded our expectations. »

The ten most popular websites where email addresses leak to tracking domains

The researchers, who will present their findings at a Usenix security conference in August, say they have been encouraged to investigate what they call “leak patterns” of news, including Gizmodo, about third parties collecting data from forms regardless of submission status. They point out that at its core, this behavior is similar to keyloggers, which are typically malicious programs that record everything the target type writes.

As mentioned above, on the main page which is among the top 1000, users probably do not expect their information to be entered. In practice, researchers have found some variations in behavior. Some sites recorded turnkey data, but many sites recorded full logins in one field when users clicked on the next.

“In some cases when you click on the next field they collect previously, like clicking on the password field and they collect emails, or just clicking anywhere and they immediately collect all the information,” says Asuman Senol, privacy and identity researcher at KU Leuven and one of the study’s co-authors: “We didn’t expect to find thousands of websites; in the United States, the numbers are really high, which is interesting.”


Email Leaks – Best Tracking Domains

According to researchers, regional differences may be related to the fact that companies are more careful in monitoring users, and even potentially integrate with fewer third parties, due to the EU General Data Protection Regulation. However, they point out that this is only a possibility, and that the study did not examine the explanations for this disparity.

Through significant efforts to inform websites and third parties that collect data in this way, researchers have found that one explanation for unexpected data collection may be related to the difficulty of distinguishing “submit” action from other user actions on specific websites. But researchers point out that, from a privacy perspective, this is not an adequate justification.

Since completing its work, the group has also discovered Meta Pixel and TikTok Pixel, invisible marketing trackers who embed services on their websites to track users across the Internet and show them ads. In their documentation, they both claim that customers can enable “advanced automatic pairing”, which triggers data collection when the user submits a form.

Password Lookup – Best Tracking Domains

In practice, however, researchers have found that these tracking pixels capture hashed email addresses, a masked version of email addresses used to identify Internet users on different platforms, before they are sent. For U.S. users, 8,438 pages may have transmitted data to Meta, Facebook’s parent company, via pixels, and 7,379 sites may be affected by European users. For TikTok Pixel, the group found 154 pages for American users and 147 for European users.

Investigators reported the bug to Meti on March 25, and the company quickly assigned an engineer to the case, but the group has not heard from them since. Researchers informed TikTok on April 21 that they had recently discovered TikTok’s behavior and had not received a response. “Privacy risks for users are that they will be monitored even more efficiently; they can be tracked on different websites, in different sessions, on mobile and desktop computers, Acar says. An email address is such a useful tracking identifier because it is global, unique and constant. You cannot delete it as you delete your cookies. It is a very powerful identifier. »

Acar also points out that as technology companies seek to abolish cookie-based tracking to address privacy issues, retailers and other analysts are increasingly relying on static identifiers such as phone numbers and email addresses.

Because the results show that deleting data from a form before submitting it may not be enough to protect you from collecting, researchers have created a Firefox extension called LeakInspector to detect malicious forms. They hope that their results will raise awareness among Internet users, but also developers and webmasters, who can proactively check whether their own systems or the third parties they use collect data in forms without consent.

Leaks on Meta (Facebook) and TikTok

Meta Pixel and TikTok Pixel have a feature called Automatic Advanced Matching that automatically collects hashed personal IDs from web forms. Hashed personal identifiers are then used to target ads on appropriate platforms, measure conversions, or create new custom audiences.

According to the documentation from Meta and TikTok, Advanced Auto Match should start collecting data when the user submits the form. Researchers say they have found that, contrary to what is claimed, Meta and TikTok Pixel collect hashed personal data when a user clicks on links or buttons that do not look like a send button. In fact, Meta and TickTock scripts don’t even try to recognize send buttons or listen to send events (forms). This means that Meta and TikTok Pixel collect hashed personal data, even when the user decides to leave the form and clicks the / link button to leave the page.

Communication with Met

“The SubscribedButtonClick event runs with each click, causing DPI collection to be against the user’s intent. When advanced auto-pairing is enabled, the SubscribedButtonClick event is triggered after clicking on almost any button or link on the page. This means that Meta Pixel collects hashed personal data, even when the user decides to leave the form and clicks the / link button to leave the page.

“According to its official website, Advanced Auto Match should start collecting data when the user submits the form:” After the visitor clicks on the submit, JavaScript in the pixel automatically detects and forwards the relevant fields of the form on Facebook. Contrary to what is claimed, Meta Pixel collects hashed personal information when a user clicks on links or buttons that do not look like a send button. In fact, the Meta JavaScript code in question does not even try to recognize the send buttons, nor to listen to the sending events (forms).

abcmouse.com (children’s website): Meta Pixel collects a hashed email address when a user closes the newsletter dialog. In this case, sharing an email address is exactly the opposite of the user’s intention.

prothomalo.com: Clicking on the “Back”, “Terms of Use” or “Privacy Policy” links will start collecting the hashed email address and first and last name (hashed). “We hope you will recognize the discrepancy between the behavior described and the actual behavior of Advanced Auto Match and take the necessary steps to resolve this issue. »

A similar communication was made with Tiktok

Source: KU Leuven

You too?

See also:

Cyber ​​criminal activities and ransomware in circulation have been reduced due to the conflict between Ukraine and Russia, but the number of Emotet botnets is on the rise, according to Avast

EU declares war on end-to-end encryption and demands access to private messages on any platform, in the name of child protection

Deepfake and crypto fraud increased in the first quarter of 2022, used to spread misinformation and access financial or personal information

Organizations not equipped to deal with increased third-party risk, 45% still use manual risk assessment tables

Leave a Comment