Ad-Tech Firms Grab Email Addresses From Forms Before They're Even Submitted (theregister.com) 46
Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers. Some of these firms are said to have also inadvertently grabbed passwords from these forms. The Register reports: In a research paper scheduled to appear at the Usenix '22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) describe how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco. The boffins created their own software to measure email and password data gathering from web forms -- structured web input boxes through which site visitors can enter data and submit it to a local or remote application.
Providing information through a web form by pressing the submit button generally indicates the user has consented to provide that information for a specific purpose. But web pages, because they run JavaScript code, can be programmed to respond to events prior to a user pressing a form's submit button. And many companies involved in data gathering and advertising appear to believe that they're entitled to grab the information website visitors enter into forms with scripts before the submit button has been pressed.
"Our analyses show that users' email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl," the researchers state in their paper, noting that the addresses may be unencoded, encoded, compressed, or hashed depending on the vendor involved. Most of the email addresses grabbed were sent to known tracking domains, though the boffins say they identified 41 tracking domains that are not found on any of the popular blocklists. "Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts," the researchers say.
Providing information through a web form by pressing the submit button generally indicates the user has consented to provide that information for a specific purpose. But web pages, because they run JavaScript code, can be programmed to respond to events prior to a user pressing a form's submit button. And many companies involved in data gathering and advertising appear to believe that they're entitled to grab the information website visitors enter into forms with scripts before the submit button has been pressed.
"Our analyses show that users' email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl," the researchers state in their paper, noting that the addresses may be unencoded, encoded, compressed, or hashed depending on the vendor involved. Most of the email addresses grabbed were sent to known tracking domains, though the boffins say they identified 41 tracking domains that are not found on any of the popular blocklists. "Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts," the researchers say.
Enforcement (Score:5, Interesting)
How worthless is enforcement of these regulations if it takes some research paper like this to identify compliance? When I see an article like this, I would also like to see all of the fines being paid by these companies because of this behavior. But I never find that in an article like this, and I assume it is because that rarely happens.
The most annoying thing is you would think this enforcement would pay for itself. 1800 EU web sites with a $20 million euro fine each could pay for billions per year in enforcement efforts even after including the legal costs.
Re:Enforcement (Score:4, Insightful)
While the EU can go after GDPR infringements, it does seem that they may only do so if alerted to the breach.
As you say, it is disappointing that it takes research institutions to uncover the infringing "grab details before submit" actions. That at least is still better than "You have no laws in place to stop these people"
Re: Enforcement (Score:3)
Re: (Score:2)
This is pretty late in the game.
Experian's FreeCreditReport.com sold the information to 28 different companies before you hit submit in 2008. This was well known within the company (I was a contractor for awhile). If you collect it yourself, then send it off to a bunch of companies, is that much different?
Yeah, that's pretty shiesty. (Score:5, Informative)
A couple quick defense tips - first, disable form-fill. Look, seriously - is it really that hard to run something like KeyPass? Are you really incapable of typing in your email address, telephone number, physical address, mailing address, etc.? I know form-fill is convenient; if your data and data privacy are important to you, turn it off. I did, it only took me a couple weeks to adapt.
Second - Don't trust "incogneto mode" or even VPN to keep you safe. It's your browser that's leaking the data, when it fills a form supplied by a website with a persistent stateful connection. The only way to keep this information from leaking out is not to put it in the form in the first place.
Re: (Score:3, Insightful)
The only real defensive tips are 1) don't allow javascript and 2) if you do have to turn it on to make the ajax on some form work, understand that you're submitting the text in real time.
I'm surprised that this is a story that's being broken as if it was kept a secret. All e-commerce sites do this. This is (one of the reasons) why if you put something in your cart, almost buy it but don't, you get a reminder e-mail in a couple days. They snagged your e-mail when you filled out the form. Sometimes they'll be
Advertising is the major problem with the internet (Score:4, Insightful)
From the beginning, when we just had newsgroups, SPAM started to become a real problem, and eventually ruined newsgroups.
Now, advertising is a problem because it incentivizes content that the author doesn't care about, just to get page views. "You won't believe what Trump said today" and then the page says that Trump loves Nancy Pelosi. Who cares? As long as you clicked on it.
Advertising is thus bad for two reasons: because it directly makes the internet worse, and it incentives the creation of false or bad content. It is therefore a moral imperative to use ad block.
Re: (Score:3)
> It is therefore a moral imperative to use ad block.
There is a certain 'poison the well' aspect to this that is intriguing.
Web search is generally paid for with advertising dollars. Both abortion clinics and white supremacists benefit from being searchable on the web. Therefore web advertising supports abortion and racism. Thus it is a moral imperative to block web ads. States should implement a total ban on web advertising, think of the children.
Re: (Score:2)
Mod parent interesting. Especially the part about "moral imperative to use ad block". I don't think it's necessarily correct, because in spite of their greed, they may understand when to lay off. Or who?
I still prefer the solution of "knowing the sources". Yeah, it's nice to be polite to strangers, but that shouldn't include being nice to (and trusting) every sock puppet with a testimonial pushing some garbage. I see a lot of these problems coming down to scaling over Dunbar's Number. (Interesting that Twit
Re: (Score:3, Informative)
the part about "moral imperative to use ad block". I don't think it's necessarily correct,
Then block ads based on practicality. All major ad networks have served malware. It doesn't make sense to allow those on your system.
Re: (Score:2)
Sorry, but that's not how I see the situation. You could perhaps make a stronger argument based on time. I consider the malware problem as separate and I do take various technical precautions.
However, I see the ads themselves as part of a bargain that I have accepted. I get some services in exchange for exposure to some ads. On one hand, I feel obliged to accept a "reasonable default" amount of ads for the services I'm using, but on the other hand I do not feel obliged to be "helpful" in terms of increasing
Re: (Score:2)
What technical precautions do you take that will be effective as blocking ads?
Re: (Score:2)
You must realize that's a problematic question for a public place? Let me just say that I'd prefer to remain a low-value high-cost target, at least in relative terms. And the main cost would probably be figuring out my technical defenses...
Re: (Score:2)
Think though. how many websites are there that fit both criteria:
A) You wouldn't be willing to pay a small fee for the service.
B) You would be particularly sad if they were gone.
The advertising model is not the best to fund the internet.
Re: (Score:2)
The dimensions of your analysis are escaping me, but that may be because I see the system as too open in the sense that everything on the Web winds up competing against free. Actually, it's probably worse than that, because the way they hide the economic models, in many cases it may even seem like they are paying you. (Or maybe because I have too Buddhist a perspective? Everything is transient and no sense in getting sad about the passing of anything in particular?)
I am certainly NOT advocating in favor of
Re: (Score:2)
There are a lot of websites that are bad but still get views because they are good at SEO. Do a search for "smart outlet review" and you'll find a bunch of websites that don't tell you much information. If they weren't getting paid from advertising, they would disappear and the world would be a better place. (A better place in the sense that it would be easier to find websites with good smart outlet information, or at least you wouldn't be distracted by bad information).
So then I think, "what websites do I
Re: (Score:2)
You basically raise two points, one per paragraph, but I don't feel like you're engaging with any of my actual positions, especially as regards the CSB idea. I want to feel like my positions make sense, but that implies I write quite poorly... Certainly not persuasively.
Also I feel like responding to your points is mostly leading farther and farther afield and that my attempts to link back to my actual positions are not accomplishing much. So I'll try to keep my replies brief. (While pulling to the center?)
Re: (Score:2)
I don't feel like you're engaging with any of my actual positions, especially as regards the CSB idea.
I don't understand your CSB idea. Can you explain it again?
Re: (Score:2)
Limiting it to the journalism context and remembering that this is a sky castle, here's an elevator version:
After a story (or video) there would be some links for solution projects related to whatever problem the story was about. The CSB would help pick the links, but the main job of the CSB would be making sure the project proposals are complete, with budgets, schedules, and resources sufficient to the task. The CSB would also check for "success criteria" in the proposal, and afterwards the CSB would repor
Re:Advertising is the major problem with the inter (Score:4, Interesting)
This is even worse. It's quite nearly criminal, IMHO.
People have become used to the way HTML 1.0 worked. You're on a website. You're filling out a form. Nothing happens until you hit [SUBMIT, mortal]. The part they weren't told was why. Turns out, you only connected to that website long enough to get the page you're looking at. You're not really on the website, you're just looking at it.
Now, I remember when JAVA hit the scene. It generally looked like Sun OS and Xerox had a horribly deformed child, but it opened a persistent connection between the web browser and the server. A persistent connection - think: TTY terminal, or thin client. Users were given a much richer, much faster environment to interact with the web server. No more overhead from opening and closing connections just to draw or retrieve a form? It was bliss. Choruses of Kumbaya rang out over the internet. JAVA was the cure for all, and all would be united in a JAVA virtual universe!
But there was a darkness not perceived at work, a collective will of greed and malice, grasping and ungracious. Marketing 'droids came into IT and said "Hey, we're losing a lot of sales because people just close out before they finish. I wouldn't be much of a salesman if I didn't, say, try to talk them into buying? Look, I figure if I offer them a better deal, maybe they'll finish the transaction?" His countenance and all which he said seemed fair and reasonable, and the Web Weenies and their JAVA masters answered "That's already done. It's built into the design." And with only a little clattering of keyboards, the data was summoned forth; and rendered into the hands of the 'droids from Marketing.
JAVA and the web have evolved over the milliseconds; new technologies have been added and JAVA is now only one tool in the webmaster's toolkit. A sort of uneasy truce arose of itself; it's understood that a website can't legitimately harvest and retain sensitive personal information without the express consent of the person in question. This unofficial truce makes it difficult to detect when a website is surreptitiously harvesting your data. As a web user, I generally have the mistaken belief that the websites I visit can be trusted with my data. I don't know why, but it's so.
Before the critics start in: I know I'm no J.R.R. Tolkien, I can't even write dialog as well as George Lucas. I'm just an Engineer, and not much good at telling stories. Well, not at making them entertaining, in any event.
Re: (Score:2)
Java didn't open a persistent connection in and of itself - the applet code would be downloaded and run locally. Plenty of Java applets just added interactivity and didn't make connections at all.
Re: (Score:2)
Most of tech isn't correct, but the spirit (Score:2)
Also, HTML 1.0 didn't have forms. Most likely the first HTML the author ever saw was HTML 3.2, around 1996.
Much is what they've said is *factually* incorrect, but that's not the point. The point is that from around 1996 until now, the web has become a billion times larger as people learned how to make a living from it. Some people have been very clever about making a few bucks; doing things you might not expect. I think that's the author's point - it's not a few academics sharing their papers over gopher p
can I spam their APIs (Score:4, Insightful)
with a few billion randomly generated email addresses?
Re: (Score:3)
Or just the email address of people you really don't like.
Re:can I spam their APIs (Score:4, Funny)
Hating billions of people personally is a level of misanthropy we can only dream to attain.
Re: (Score:1)
Knowing the email addresses of a billion people you hate takes genuine determination and grit.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Does anyone know Darl McBride's current email address?
Re: (Score:2)
Re: (Score:2)
Bonus points if you can find and use the email address of the CEO of the company trying to harvest your data. x]
Re: (Score:2)
with a few billion randomly generated email addresses?
Try fuzzing their database? That might balloon their database substantially but the bots will just continue sending spam regardless of whether or not these emails are deliverable. If they do notice they will just add a little AI to recognize good addresses and remove the random ones. The owner of the bots would likely never know the difference except for the change in the database size. But it would be fun to try and break their database engine or po
No shit (Score:2)
They've been doing this for years. I've noticed half-filled and abandoned forms just prompt companies to spam me if one of the fields was am email address.
They grab it on field exit by AJAX. This isn't news as it is at least a decade old info.
Re: (Score:2)
If memory serves, I first heard rumblings in the late 1990's about this. People didn't think of it as 'tracking' back then, they just noticed that if they ever once looked at any special interest item (a soldering iron, lingerie, inner tubes), their email would blow up. With the dismay at what we now routinely accept as SPAM freshly discovered, it took just a little bit to sink in that it was almost as though someone was . . . watching them.
Just for nostalgia's sake . . . punch the monkey!
Re: (Score:2)
Hey! Bonzi Buddy is my FRIEND!
I fuckin' knew it (Score:4, Insightful)
I knew these fuckers were doing this and when I mentioned it, people laughed like I was paranoid.
They were right, I was paranoid, BUT I was also right.
I've suspected this for a long time. And the reason I started suspecting it was they I realized it was not just possible, but trivial to do so.
Not exactly the same but sometimes I intentionally (Score:4, Interesting)
This was in Arstechnica as well (Score:3)
And it was mentioned in Ars that Yandex (the Russian google clone) was one of those picking up your passwords.
https://arstechnica.com/inform... [arstechnica.com]
I wonder with current issues in Russia, if the Russian government would be interested in trying to get a copy of all the user accounts slurped by Yandex.
Am running firefox with ublock origin, etc. But I think I need to have another look at blocking such stuff at a deeper level.
security issues (Score:2)
Those are maybe beginner questions, but anyway here I go:
So it's possible to technically keylog/field read with JS when you enter credit card numbers on forms that belong to the website's URL, but what I wonder is, many websites use a payment processor (a 3rd party) that integrates seamlessly into the payment page, can the website fetch that information too?
Can 3rd party javascript ads integrated into a webpage also read form contents/use keylog functionality or is there some sort of security implemented?
Web Libraries? (Score:2)
Many web developers use libraries to build web forms. It would be a good idea for someone to actually test the stock functionality of each library to see if any of those are stealing addresses behind the scene while the developers are not aware of this. Many website owners might not even suspect they are part of the problem.
Well what do you expect (Score:1)
Re (Score:1)