100.000 sites collect what you type before you click Submit

When you write a comment, make a hotel reservation, you probably take it for granted that if you change your mind and press X to exit the page, the message is deleted.

What we have known so far is that nothing happens until you press the Submit button, right?


Well, no. This does not always happen, according to new research: A large number of sites collect some or all of the you, right as you type them.

Researchers from KU Leuven, Radboud University and Lausanne University detected and analyzed 100.000 top websites, looking at scenarios in which a user visits a website while in Union and from the United States.

They found that 1.844 websites retained an EU user's email address without his consent and around 2.950 stored users' emails from the US. Many of the sites do not appear to be intended to capture data, but to incorporate third-party marketing and analytics services that cause this behavior.


Μετά μετά από ειδική ανίχνευση ιστότοπων για διαρροές κωδικών πρόσβασης τον Μάιο του , οι ερευνητές βρήκαν επίσης 52 ιστότοπους στους οποίους τρίτες υπηρεσίες, όπως την Ρώσικη Yandex, συνέλεγαν τυχαία δεδομένα κωδικών πρόσβασης πριν από την υποβολή τους. Η ομάδα αποκάλυψε τα ευρήματά της σε αυτές τις υπηρεσίες, και από τότε έχουν επιδιορθωθεί και οι 52 περιπτώσεις.

“If there is a Submit button on a form, the reasonable expectation is that it will do something, not submit your data before you in it," says Güneş Acar, a professor and researcher at Radboud University's digital security group and one of the study's pioneers.

"All these results were a big surprise. We thought we might find a few hundred websites collecting your emails before you submit, but that far exceeded our expectations. ”

The researchers will present their findings at the Usenix security conference in August. They report that this behavior is similar to so-called keyloggers, which are usually maliciousτα που καταγράφουν οτιδήποτε πληκτρολογεί ένας χρήστης. Όμως στις top 1.000 ιστοσελίδες, οι χρήστες δεν περιμένουν ότι κάποιος καταγράφει τις τους. Στην πράξη, οι ερευνητές παρατήρησαν μερικές παραλλαγές της ίδιας συμπεριφοράς. Ορισμένοι ιστότοποι καταγράφουν ορισμένα από τα δεδομένα πληκτρολόγησης, και άλλοι άρπαζαν τις πλήρεις υποβολές από τα πεδία μιας φόρμας όταν οι χρήστες έκαναν στο επόμενο (και όχι αποστολή).

“In some cases, when you click to go to the next field, they collect the previous one, like when you click on the password field they collect the email. There are other forms that you just click anywhere and immediately collect all the information,” says Asuman Senol, manager of personal data, and researcher at KU Leuven and one of the co-authors of the study.

"We did not expect to find thousands of sites in the US and the numbers are really high, which is very interesting."

The team also discovered a lot of interest in the Meta Pixel features and Pixels. These are essentially invisible marketing trackers that administrators embed on their websites to track users around the web and show them ads.

Both features claim that users can turn off "auto composite mapping", which disables data collection when a user submits a form.

In practice, however, the researchers found that these tracking pixels snatched fragmented email addresses, a covert version of email addresses used to identify web users across multiple platforms, before submitting the form.

For US users, 8.438 sites are leaking data to Meta, the company Facebook, through Meta Pixels and 7.379 sites affect EU users. For the TikTok Pixel, the team found 154 sites for US users and 147 for EU users.

iGuRu.gr The Best Technology Site in Greecefgns

leaky forms, data leaks, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).