A recent research report claims that thousands of popular websites see what users type into forms before they hit submit. The researchers even found 52 websites where third parties had access to users’ password data before submission.
Wired reports that according to a study by European researchers from KU Leuven, Radboud University, and the University of Lausanne, many websites track the information that users type into forms even before they hit submit. Researchers analyzed the top 100,000 websites and looked at different scenarios such as users visiting a site while in the European Union and visiting while in the United States.
The researchers found that 1,844 websites gathered EU users’ email addresses without their consent, while 2,950 logged U.S. users’ emails. Many sites reportedly incorporate third-party marketing and analytics software that automatically collects this information.
Researchers crawled websites for password leaks in May 2021 and found 52 websites in which third parties were incidentally collecting password data before submission. The group disclosed their findings to these sites and all 52 instances have reportedly since been resolved.
Güneş Acar, a professor and researcher in Radboud University’s digital security group and one of the leaders of the study, commented:
If there’s a Submit button on a form, the reasonable expectation is that it does something—that it will submit your data when you click it. We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.
The researchers plan to present their findings at the Usenix security conference in August and said they were inspired to investigate the issue due to media reports about third parties collecting form data regardless of whether they had been submitted.
The researchers noted that different sites engaged in different behaviors to collect data, some logged keystroke by keystroke while many grabbed complete submissions from one field when users clicked next. Asuman Senol, a privacy and identity researcher at KU Leuven and one of the study coauthors, commented:
In some cases, when you click the next field, they collect the previous one, like you click the password field and they collect the email, or you just click anywhere and they collect all the information immediately. We didn’t expect to find thousands of websites; and in the US, the numbers are really high, which is interesting.
Read more at Wired here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address lucasnolan@protonmail.com