When you write a comment, make a hotel reservation, you probably take it for granted that if you change your mind and press X to exit the page, the message is deleted.
What we have known so far is that nothing happens until you press the Submit button, right?
Well, no. This does not always happen, according to new research: A large number of websites collect some or all of your data as you type.
Researchers from KU Leuven, Radboud University and Lausanne University detected and analyzed 100.000 top websites, looking at scenarios in which a user visits a website while in European Union and from the United States.
Διαπίστωσαν ότι 1.844 ιστότοποι συγκρατούσαν τη διεύθυνση ηλεκτρονικού ταχυδρομείου ενός χρήστη της ΕΕ χωρίς τη συγκατάθεσή του και γύρω στους 2.950 αποθήκευαν email των χρηστών από τις ΗΠΑ. Πολλοί από τους ιστότοπους φαίνεται ότι δεν σκοπεύουν την καταγραφή δεδομένων, αλλά ενσωματώνουν υπηρεσίες μάρκετινγκ και analysisof third parties that cause this behavior.
Following a special search for password leak sites in May 2021, the researchers also found 52 sites where third-party services, such as Russia's Yandex, collected random password data before submitting it. The team revealed its findings in these services, and since then all 52 cases have been repaired.
“If there is a Submit button on a form, the reasonable expectation is that it will do something, not submit your data before you click in it," says Güneş Acar, a professor and researcher at Radboud University's digital security group and one of the study's pioneers.
"All these results were a big surprise. We thought we might find a few hundred websites collecting your emails before you submit, but that far exceeded our expectations. ”
The researchers will present their findings at the Usenix security conference in August. They report that this behavior is similar to so-called keyloggers, which are usually malicious programs that record everything a user types. But on the top 1.000 websites, users do not expect anyone to record their information. In practice, the researchers observed some variations of the same behavior. Some sites record some of the typing data, and others snatch full submissions from one form's fields when users click the next (rather than send) one.
"In some cases, when you click to go to the next field, they collect the previous one, such as when you click in the password field, they collect the email. "There are other forms that you just click on and collect all the information right away," said Asuman Senol, a data protection officer and researcher at KU Leuven and one of the study's co-authors.
"We did not expect to find thousands of sites in the US and the numbers are really high, which is very interesting."
The team also discovered a lot of interest in the Meta Pixel and TikTok Pixel features. These are essentially invisible marketing crawlers that administrators embed in their sites to track users on the web and show them ads.
Both features claim that users can turn off "auto composite mapping", which disables data collection when a user submits a form.
But in practice, the researchers found that these Tracking Pixels were grabbing hashed email addresses, a disguised version of email addresses used to identify web users in various platforms, before submitting the form.
For US users, 8.438 sites leak data to Meta, Facebook's parent company, via Meta Pixel, and 7.379 sites influence EU users. For TikTok Pixel, the team found 154 sites for US users and 147 for its users EU.
