100.000 sites collect what you type before you click Submit

When you write a comment, make a hotel reservation, you probably take it for granted that if you change your mind and press X to exit the page, the message is deleted.

What we have known so far is that nothing happens until you press the Submit button, right?


Well, no. This does not always happen, according to new research: A large number of websites collect some or all of your data as you type.

Researchers from KU Leuven, Radboud University and the University of Lausanne have identified and analyzed 100.000 top websites, looking at scenarios in which a user visits a website while in the European Union and the United States.

They found that 1.844 websites retained an EU user's email address without his consent and around 2.950 stored users' emails from the US. Many of the sites do not appear to be intended to capture data, but to incorporate third-party marketing and analytics services that cause this behavior.


Following a special search for password leak sites in May 2021, the researchers also found 52 sites where third-party services, such as Russia's Yandex, collected random password data before submitting it. The team revealed its findings in these services, and since then all 52 cases have been repaired.

  The new GoldBrute botnet tries to break 1,5 million servers with RDP

"If there is a Submit button on a form, the reasonable expectation is that it will do something, it will not submit your data before you click on it," said Güneş Acar, a professor and researcher in the Radboud University Digital Security team and one of the protagonists of the study.

"All these results were a big surprise. We thought we might find a few hundred websites collecting your emails before you submit, but that far exceeded our expectations. ”

The researchers will present their findings at the Usenix security conference in August. They report that this behavior is similar to so-called keyloggers, which are usually malicious programs that record everything a user types. But on the top 1.000 websites, users do not expect anyone to record their information. In practice, the researchers observed some variations of the same behavior. Some sites record some of the typing data, and others snatch full submissions from one form's fields when users click the next (rather than send) one.

"In some cases, when you click to go to the next field, they collect the previous one, such as when you click in the password field, they collect the email. "There are other forms that you just click on and collect all the information right away," said Asuman Senol, a data protection officer and researcher at KU Leuven and one of the study's co-authors.

"We did not expect to find thousands of sites in the US and the numbers are really high, which is very interesting."

The team also discovered a lot of interest in the Meta Pixel and TikTok Pixel features. These are essentially invisible marketing crawlers that administrators embed in their sites to track users on the web and show them ads.

  Google is stepping up monitoring: check your settings

Both features claim that users can turn off "auto composite mapping", which disables data collection when a user submits a form.

In practice, however, the researchers found that these tracking pixels snatched fragmented email addresses, a covert version of email addresses used to identify web users across multiple platforms, before submitting the form.

For US users, 8.438 sites leak data to Meta, Facebook's parent company, via Meta Pixel, and 7.379 sites influence EU users. For TikTok Pixel, the team found 154 sites for US users and 147 for its users EU.

Registration in iGuRu.gr via email

Your email for sending each new post

Follow us on Google News iGuRu.gr at Google news

Leave a reply

Your email address Will not be published.

67 +    = 76

Previous Story

IP TV Player free Greek and foreign channels

Next Story

Install Windows 11 without a Microsoft account