Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy The Internet

Ad-Tech Firms Grab Email Addresses From Forms Before They're Even Submitted (theregister.com) 46

Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers. Some of these firms are said to have also inadvertently grabbed passwords from these forms. The Register reports: In a research paper scheduled to appear at the Usenix '22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) describe how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco. The boffins created their own software to measure email and password data gathering from web forms -- structured web input boxes through which site visitors can enter data and submit it to a local or remote application.

Providing information through a web form by pressing the submit button generally indicates the user has consented to provide that information for a specific purpose. But web pages, because they run JavaScript code, can be programmed to respond to events prior to a user pressing a form's submit button. And many companies involved in data gathering and advertising appear to believe that they're entitled to grab the information website visitors enter into forms with scripts before the submit button has been pressed.

"Our analyses show that users' email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl," the researchers state in their paper, noting that the addresses may be unencoded, encoded, compressed, or hashed depending on the vendor involved. Most of the email addresses grabbed were sent to known tracking domains, though the boffins say they identified 41 tracking domains that are not found on any of the popular blocklists. "Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts," the researchers say.

This discussion has been archived. No new comments can be posted.

Ad-Tech Firms Grab Email Addresses From Forms Before They're Even Submitted

Comments Filter:
  • Enforcement (Score:5, Interesting)

    by ranton ( 36917 ) on Monday May 16, 2022 @05:47PM (#62540662)

    How worthless is enforcement of these regulations if it takes some research paper like this to identify compliance? When I see an article like this, I would also like to see all of the fines being paid by these companies because of this behavior. But I never find that in an article like this, and I assume it is because that rarely happens.

    The most annoying thing is you would think this enforcement would pay for itself. 1800 EU web sites with a $20 million euro fine each could pay for billions per year in enforcement efforts even after including the legal costs.

    • Re:Enforcement (Score:4, Insightful)

      by BeerCat ( 685972 ) on Monday May 16, 2022 @06:20PM (#62540756) Homepage

      While the EU can go after GDPR infringements, it does seem that they may only do so if alerted to the breach.

      As you say, it is disappointing that it takes research institutions to uncover the infringing "grab details before submit" actions. That at least is still better than "You have no laws in place to stop these people"

    • Thats a bad arrangement. Its the same situation as privatized for-profit prisons. Even worse is these firms have insurance that just pays this shit out. Id rather see the ceo and board have to hand write a check for $15 to every recipient. HAND WRITE. After 1 million checks to fill out, I bet theyd never do that shit again.
    • by Jack9 ( 11421 )

      This is pretty late in the game.

      Experian's FreeCreditReport.com sold the information to 28 different companies before you hit submit in 2008. This was well known within the company (I was a contractor for awhile). If you collect it yourself, then send it off to a bunch of companies, is that much different?

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Monday May 16, 2022 @05:49PM (#62540672)
    Comment removed based on user account deletion
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The only real defensive tips are 1) don't allow javascript and 2) if you do have to turn it on to make the ajax on some form work, understand that you're submitting the text in real time.

      I'm surprised that this is a story that's being broken as if it was kept a secret. All e-commerce sites do this. This is (one of the reasons) why if you put something in your cart, almost buy it but don't, you get a reminder e-mail in a couple days. They snagged your e-mail when you filled out the form. Sometimes they'll be

  • by phantomfive ( 622387 ) on Monday May 16, 2022 @06:07PM (#62540722) Journal

    From the beginning, when we just had newsgroups, SPAM started to become a real problem, and eventually ruined newsgroups.

    Now, advertising is a problem because it incentivizes content that the author doesn't care about, just to get page views. "You won't believe what Trump said today" and then the page says that Trump loves Nancy Pelosi. Who cares? As long as you clicked on it.

    Advertising is thus bad for two reasons: because it directly makes the internet worse, and it incentives the creation of false or bad content. It is therefore a moral imperative to use ad block.

    • > It is therefore a moral imperative to use ad block.

      There is a certain 'poison the well' aspect to this that is intriguing.

      Web search is generally paid for with advertising dollars. Both abortion clinics and white supremacists benefit from being searchable on the web. Therefore web advertising supports abortion and racism. Thus it is a moral imperative to block web ads. States should implement a total ban on web advertising, think of the children.

    • by shanen ( 462549 )

      Mod parent interesting. Especially the part about "moral imperative to use ad block". I don't think it's necessarily correct, because in spite of their greed, they may understand when to lay off. Or who?

      I still prefer the solution of "knowing the sources". Yeah, it's nice to be polite to strangers, but that shouldn't include being nice to (and trusting) every sock puppet with a testimonial pushing some garbage. I see a lot of these problems coming down to scaling over Dunbar's Number. (Interesting that Twit

      • Re: (Score:3, Informative)

        by phantomfive ( 622387 )

        the part about "moral imperative to use ad block". I don't think it's necessarily correct,

        Then block ads based on practicality. All major ad networks have served malware. It doesn't make sense to allow those on your system.

        • by shanen ( 462549 )

          Sorry, but that's not how I see the situation. You could perhaps make a stronger argument based on time. I consider the malware problem as separate and I do take various technical precautions.

          However, I see the ads themselves as part of a bargain that I have accepted. I get some services in exchange for exposure to some ads. On one hand, I feel obliged to accept a "reasonable default" amount of ads for the services I'm using, but on the other hand I do not feel obliged to be "helpful" in terms of increasing

          • What technical precautions do you take that will be effective as blocking ads?

            • by shanen ( 462549 )

              You must realize that's a problematic question for a public place? Let me just say that I'd prefer to remain a low-value high-cost target, at least in relative terms. And the main cost would probably be figuring out my technical defenses...

              • Think though. how many websites are there that fit both criteria:

                A) You wouldn't be willing to pay a small fee for the service.
                B) You would be particularly sad if they were gone.

                The advertising model is not the best to fund the internet.

                • by shanen ( 462549 )

                  The dimensions of your analysis are escaping me, but that may be because I see the system as too open in the sense that everything on the Web winds up competing against free. Actually, it's probably worse than that, because the way they hide the economic models, in many cases it may even seem like they are paying you. (Or maybe because I have too Buddhist a perspective? Everything is transient and no sense in getting sad about the passing of anything in particular?)

                  I am certainly NOT advocating in favor of

                  • There are a lot of websites that are bad but still get views because they are good at SEO. Do a search for "smart outlet review" and you'll find a bunch of websites that don't tell you much information. If they weren't getting paid from advertising, they would disappear and the world would be a better place. (A better place in the sense that it would be easier to find websites with good smart outlet information, or at least you wouldn't be distracted by bad information).

                    So then I think, "what websites do I

                    • by shanen ( 462549 )

                      You basically raise two points, one per paragraph, but I don't feel like you're engaging with any of my actual positions, especially as regards the CSB idea. I want to feel like my positions make sense, but that implies I write quite poorly... Certainly not persuasively.

                      Also I feel like responding to your points is mostly leading farther and farther afield and that my attempts to link back to my actual positions are not accomplishing much. So I'll try to keep my replies brief. (While pulling to the center?)

                    • I don't feel like you're engaging with any of my actual positions, especially as regards the CSB idea.

                      I don't understand your CSB idea. Can you explain it again?

                    • by shanen ( 462549 )

                      Limiting it to the journalism context and remembering that this is a sky castle, here's an elevator version:

                      After a story (or video) there would be some links for solution projects related to whatever problem the story was about. The CSB would help pick the links, but the main job of the CSB would be making sure the project proposals are complete, with budgets, schedules, and resources sufficient to the task. The CSB would also check for "success criteria" in the proposal, and afterwards the CSB would repor

    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Monday May 16, 2022 @06:38PM (#62540830)
      Comment removed based on user account deletion
      • by _merlin ( 160982 )

        Java didn't open a persistent connection in and of itself - the applet code would be downloaded and run locally. Plenty of Java applets just added interactivity and didn't make connections at all.

        • Comment removed based on user account deletion
        • Also, HTML 1.0 didn't have forms. Most likely the first HTML the author ever saw was HTML 3.2, around 1996.

          Much is what they've said is *factually* incorrect, but that's not the point. The point is that from around 1996 until now, the web has become a billion times larger as people learned how to make a living from it. Some people have been very clever about making a few bucks; doing things you might not expect. I think that's the author's point - it's not a few academics sharing their papers over gopher p

  • by OrangeTide ( 124937 ) on Monday May 16, 2022 @06:20PM (#62540758) Homepage Journal

    with a few billion randomly generated email addresses?

    • Or just the email address of people you really don't like.

    • by hAckz0r ( 989977 )

      with a few billion randomly generated email addresses?

      Try fuzzing their database? That might balloon their database substantially but the bots will just continue sending spam regardless of whether or not these emails are deliverable. If they do notice they will just add a little AI to recognize good addresses and remove the random ones. The owner of the bots would likely never know the difference except for the change in the database size. But it would be fun to try and break their database engine or po

  • They've been doing this for years. I've noticed half-filled and abandoned forms just prompt companies to spam me if one of the fields was am email address.

    They grab it on field exit by AJAX. This isn't news as it is at least a decade old info.

  • I fuckin' knew it (Score:4, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Monday May 16, 2022 @08:26PM (#62541010) Journal

    I knew these fuckers were doing this and when I mentioned it, people laughed like I was paranoid.

    They were right, I was paranoid, BUT I was also right.

    I've suspected this for a long time. And the reason I started suspecting it was they I realized it was not just possible, but trivial to do so.

  • by ayesnymous ( 3665205 ) on Monday May 16, 2022 @10:58PM (#62541344)
    enter my email address while starting the checkout process in an online store. But I don't complete the checkout. I just enter my email address and hit next. Then I leave. There's a good chance that within the next day, the store will email me a coupon.
  • by Deal In One ( 6459326 ) on Tuesday May 17, 2022 @01:46AM (#62541574)

    And it was mentioned in Ars that Yandex (the Russian google clone) was one of those picking up your passwords.

    https://arstechnica.com/inform... [arstechnica.com]

    I wonder with current issues in Russia, if the Russian government would be interested in trying to get a copy of all the user accounts slurped by Yandex.

    Am running firefox with ublock origin, etc. But I think I need to have another look at blocking such stuff at a deeper level.

  • Those are maybe beginner questions, but anyway here I go:

    So it's possible to technically keylog/field read with JS when you enter credit card numbers on forms that belong to the website's URL, but what I wonder is, many websites use a payment processor (a 3rd party) that integrates seamlessly into the payment page, can the website fetch that information too?

    Can 3rd party javascript ads integrated into a webpage also read form contents/use keylog functionality or is there some sort of security implemented?

  • Many web developers use libraries to build web forms. It would be a good idea for someone to actually test the stock functionality of each library to see if any of those are stealing addresses behind the scene while the developers are not aware of this. Many website owners might not even suspect they are part of the problem.

  • "and many companies involved in data gathering and advertising appear to believe that they're entitled to grab the information website visitors enter into forms with scripts before the submit button has been pressed. " Scum is going to behave like scum.
  • I often find myself forgetting to call someone or send an important letter or documents. Moreover, I don’t do it on purpose, I just get distracted by other work tasks. To prevent this, I started using followup personal crm [nection.io]. Now it's much easier for me to keep in touch with clients, partners and colleagues.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...