Web forms leak email addresses and passwords to advertisers

When internet users want to log in somewhere or fill in an online form, data such as email addresses and passwords can be sent to advertisers and other third parties before the send or log in button has been clicked, according to researchers from Radboud University, KU Leuven and the University of Leuven. University of Lausanne. The survey examined the 100,000 most popular websites on the Internet. European users’ e-mail addresses were forwarded to tracking, marketing and analytics domains on more than 1,800 websites before users had consented or clicked send. When the same websites were visited from an American IP address, almost three thousand websites were involved. It was also found that on more than fifty websites, third-party session replay scripts were active that collected the passwords of users. These scripts collect user interaction with the website, including keystrokes and mouse movements. The researchers reported this. Subsequently, two third-party trackers, operating together on five million websites, released updates to fix the problem.

In a follow-up study, the researchers found that Meta and TikTok collect hashed personal information from web forms, even when the user does not submit the form and give consent. The researchers warned both companies. Meta quickly responded by stating that the issue had been passed on to an engineering team. TikTok has not yet responded, according to the researchers, but was also informed later. “Based on our research, users should assume that the personal information they enter in web forms may be collected by trackers even if the form is never submitted. Given its magnitude, breach, and unintended side effects, the privacy issue we examined deserves more attention from browser vendors, privacy tool developers and privacy regulators,” the researchers concluded. As a result of the investigation, they have developed a browser extension called LeakInspector. This allows websites and end users to monitor third parties who collect personal information from web forms without their consent or knowledge.