A study found that a surprising number of leading websites collect data you’ve entered – such as passwords or email addresses in a registration process that you don’t complete – even if you did not click submit.
Researchers from KU Leuven, Radboud University and the University of Lausanne examined the top 100,000 websites. In order to find out if access to online forms is being misused by online trackers, the team scoured websites, while browsing as if they were from the US and EU. According to the study, the top sites where email addresses are leaked to tracking domains include USAToday and The Independent, although issues with both of these websites have since been resolved.
“Users’ email addresses are exfiltrated to the tracking, marketing, and analytics domains before form submission and before consent is given on 1,844 websites when visited from the EU and 2,950 when visited from the United States,” the team writes in their study, which will be presented at the USENIX Security ’22 security and privacy conference.
The sites themselves do not necessarily use the data, but use third-party marketing and analytics services that do. Fifty-two sites were found to be collecting data before anyone clicked submit, including Russia’s Toyota domain and Russian tech giant Yandex.
“If there’s a submit button on a form, you can reasonably expect it to do something – to submit your data when you click on it,” the professor and researcher in the group told Wired. of Digital Security from Radboud University, Güneş Acar. “We were super surprised by these results. We thought we might find a few hundred websites where your email is collected before you submit it, but this far exceeded our expectations.
In a follow-up study, they found that Meta and TikTok “collect hashed personal information from web forms even when the user does not submit the form and provide consent.”
In March 2022, they performed other website crawls, in which their bot would enter email and password information, then click on something to take them away from the website without clicking submit. The idea was to see if this information came back to Meta and TikTok’s automatic advanced match, which collects personal data identifiers.
“We found that 8,438 (US) / 7,379 (EU) sites can leak to Meta when the user clicks on virtually any button or link, after filling out a form,” they write. “Additionally, we found 154 (US) / 147 (EU) sites likely to leak to TikTok in the same way.”