Let’s say you have an online account with Marriott, the hotel group. Go to the login page and enter your email address in the username field, then place the cursor on the password field. At this point your email address has already been transferred to the marketing company Glassbox Digital, even if you have not given your consent to the sharing of the data. It’s a wild, ultra-fast, and particularly convoluted collection, because users don’t imagine that form data can be submitted before clicking the “validate” button.
Unfortunately, the Marriott website is far from the only one to practice this type of collection. Four security researchers scoured the web using a custom crawler from a European IP address. They detected 1844 websites where email addresses from online forms were covertly collected. Browsing the web from a US IP address, they spotted as many as 2,950. Among the largest affected sites are Trello.com, Useday.com, Shopify.com, Newsweek.com, Prezi.com or Codeacademy.com. Here is a video made by the researchers showing this type of collection for a European internet user.
This collection can be done not only on the login page, but also on any other form, such as subscribing to a newsletter. Sometimes this information is transmitted letter by letter, like a keylogger, probably in order to collect as much data as possible. Finally, across 52 sites, the researchers also found password collection, which is particularly frightening.
Contacted by the researchers, only half of the websites and tracker publishers responded. As for the collection of passwords, it turns out that it was not intentional, but linked to bugs or incorrect settings. For emails and other identifiers, the responses are more diverse. Some publishers, such as Trello.com, claim that they are unaware of this collection. Others, such as Marriott, argue that this collection is done for technical and anti-fraud reasons. Still others said it was a bug.
For their part, marketing service providers show no questions. In Taboola, for example, form emails are collected for advertising purposes in the form of a cryptographic fingerprint and stored for 13 months. The collection would only take place with the consent of the Internet user, which is patently false. Meanwhile, Zoominfo hides behind its client, explaining that it is an option that the latter can activate or not.
During this study, the researchers also discovered a similar collection between the Meta and TikTok trackers. Both have a feature called “Automatic Advanced Matching”, which is supposed to pass identifiers entered into a form when the user validates the form. However, it turns out that these trackers steal data as soon as the user clicks a link or another button. Even if you click a completely inactive button, the data is transmitted. And this happens, of course, without any consent from the user.
See also the video:
After browsing the web with their crawler, the researchers estimate that this data leak could affect more than 7,300 websites from a European IP address and more than 8,400 sites from a US IP address. The researchers alerted Meta that it acknowledged the existence of a problem. A team of engineers is now working on the subject. TikTok was also warned, but later. No answers have yet reached the researchers.
To protect Internet users, the researchers also developed a browser extension called “LeakInspector”, which can detect the inadvertent collection of information in forms. It is still experimental software that should eventually be released in the Firefox app store. However, this study shows that the Wild West of advertising trackers is still far from over.
Source: Scientific studies