Some Top 100,000 Websites Collect Everything You Type—Before You Hit Submit

When you sign Sign up for a newsletter, make a hotel reservation, or pay a visit online. . Nothing really happens until you press the Submit button, right? Well, maybe not. As with so many web-based assumptions, this is not always the case, according to new research: a staggering number of websites are collecting some or all of your data as you type it into a digital form.

Researchers at KU Leuven, Radboud University, and the University of Lausanne tracked and analyzed the top 100,000 websites, looking at scenarios where a user visits a site in the European Union and a site in the United States. They found that 1,844 websites collected the email address of an EU user without their consent, and a staggering 2,950 recorded the email of a US user in some way. Apparently, many of the sites are not intended to perform data logging, but incorporate third-party marketing and analytics services that cause the behavior.

After specifically tracking password-filtering sites in May 2021, researchers also found 52 websites where third parties, including Russian technology giant Yandex, were collecting password data prior to submission. The group disseminated its findings to these sites and since then the 52 instances have been resolved.

“If there’s a Submit button on a form, the reasonable expectation is that it will do something: send your data when you click on it,” says Güneş Acar, a professor and researcher in the digital security group at Radboud University. one of the leaders. of the study. “We were very surprised by these results. We thought we might find a few hundred websites where your email is collected before sending it, but that far exceeded our expectations.

The researchers, who will present their findings at the Usenix security conference in August, say they were inspired to investigate what they call “filtered forms” by media reports, especially Gizmodo., about third parties who collect form data regardless of shipping status. They point out that, at its core, the behavior is similar to so-called key loggers, which are usually malicious programs that record everything that a target type. But in one of the top 1,000 sites, users probably don’t expect to have their information registered. And in practice, the researchers saw some variations in behavior. Some sites recorded key-by-key data, but many took full submissions from one field when users clicked on the next.

“In some cases, when you click on the next field, they collect the previous one, like clicking on the password field and collecting the email, or just click anywhere and collect all the information immediately,” says Asuman Senol , a privacy officer. and identity researcher at KU Leuven and one of the co-authors of the study. “We didn’t expect to find thousands of websites; and in the US, the numbers are very high, which is interesting.”

Source link

Leave a Reply