A study has found that a surprising number of top websites are collecting data you have entered – such as passwords or email addresses in a sign-up process you then do not complete – even if you haven't hit submit.
Researchers from KU Leuven, Radboud University, and the University of Lausanne looked at the top 100,000 websites. In order to find out whether access to online forms are misused by online trackers, the team trawled through the websites, while browsing as if they were from the US and the EU. Top sites where email addresses are leaked to tracker domains, the study says, include USAToday and the Independent, though issues at those two websites have since been resolved.
"Users' email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and before giving consent on 1,844 websites when visited from the EU and 2,950 when visited from the US," the team write in their study, which will be presented at security and privacy conference USENIX Security'22.
The sites themselves don't necessarily use the data but use third-party marketing and analytic services which do. Fifty-two sites were found to be collecting data before anyone had hit submit, including the Russian domain of Toyota and Russian tech giant Yandex.
“If there’s a Submit button on a form, the reasonable expectation is that it does something – that it will submit your data when you click it,” professor and researcher in Radboud University's digital security group Güneş Acar told Wired. “We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”
In a follow-up study, they discovered that Meta and TikTok "collect hashed personal information from web forms even when the user does not submit the form and does not give consent".
In March 2022, they ran further crawls of websites, in which their bot would enter email and password info, and then click on something to take them away from the website without hitting submit. The idea was to see if that information made its way back to Meta and TikTok's Automatic Advanced Matching, which collects personal data identifiers.
"We found that 8,438 (US) / 7,379 (EU) sites may leak to Meta when the user clicks on virtually any button or a link, after filling up a form," they write. "In addition, we found 154 (US) / 147 (EU) sites that may leak to TikTok in a similar manner."