According to a survey, even if you haven’t pressed submit, a startling number of popular websites are collecting data you’ve input – such as passwords or email addresses in a sign-up process you later abandon. The top 100,000 websites were examined by researchers from KU Leuven, Radboud University, and the University of Lausanne. To see if internet trackers are abusing access to online forms, the team combed through websites while posing as visitors from the United States and the European Union. According to the survey, USAToday and the Independent are among the top sites where email addresses are leaked to tracker domains, however the vulnerabilities at those two websites have since been fixed.
“Users’ email addresses are exfiltrated to tracking, marketing, and analytics domains before form submission and consent on 1,844 websites visited from the EU and 2,950 websites visited from the US,” the researchers write in their study, which will be presented at the USENIX Security’22 security and privacy conference. The sites do not utilize the data directly, but they do use third-party marketing and analytic businesses that do. Fifty-two sites, including the Russian domain of Toyota and Russian internet giant Yandex, were discovered to be gathering data before anybody had pushed submit.
“The logical assumption is that when you click the Submit button on a form, it does something – which it submits your data,” Güneş Acar, professor, and researcher at Radboud University’s digital security lab, told Wired. “These results astounded us tremendously. We expected to find a few hundred websites that capture your email address before you submit, but this much surpassed our expectations.” They found that Meta and TikTok “capture hashed personal information from online forms even when the user does not complete the form or grant consent” in a follow-up investigation.
They did more internet crawls in March 2022, in which their bot would enter email and password information, then click on anything to exit the website without clicking submit. The goal was to determine if that data ended up in Meta and TikTok’s Automatic Advanced Matching, which gathers personal data identifiers. “We discovered that when a user clicks on nearly any button or link after filling out a form,” they write, “we identified that 8,438 (US) / 7,379 (EU) sites may leak to Meta.” “We also discovered 154 (US) / 147 (EU) sites that may lead to TikTok in the same way.”
