Website Trackers Are Saving Email, Password Even Before You Hit “Submit”

This data collected without their consent might contain some sensitive or personal information, which could be later used for targeted ads and sometimes for nefarious purposes. The study called “Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission” was conducted by university researchers with a sample size of 100,000 of the highest-ranking websites in the world, which makes a total of 2.8 million pages.

 

Around 3% Of Websites Record Email, Passwords

With the help of a website crawler, the team of researchers found these results. While most users believe that websites only record things they type when they submit them, up to 2,950 sites out of the 100,000 sampled sites were doing more than that. Around 3% of the time, trackers collect data right from the moment users start typing into the form.

Websites make use of these trackers for several reasons, but majorly, they are used to personalize browsing for users and collect information about visitor activity. Trackers allow website developers to know what kind of content users are engaging in. But third-party trackers help advertisers to make sure the ads users see are targeted to things they are more likely to buy.

Third-Party Website Trackers Are Logging Keystrokes

The researchers attached a machine learning classifier to the tracker. This classifier was earlier trained to detect email and password fields and intercept any possible script access to those fields.

It looks like several third-party trackers are using scripts that keep track of the keystrokes when users type within the form. If the trackers save the information before users submit it, some of them might be able to gain access to email addresses and passwords without the consent of the users.

How To Protect Your Email And Password?

As per the researchers, these issues affect a small number of trackers, but they are pretty prevalent across the web. The most common trackers found in the research were LiveRamp (662 websites), Taboola (383), Verizon (255), and Bizible (191). These trackers were found on sites where the email addresses of users were logged. When speaking of snatching passwords, Yandex was the biggest culprit.

The key highlights of the study were released by the researchers alongside a more technical version for people who want to know more about the topic. It was first shared by Bleeping Computer. It’s imperative to note that half of these tracker companies responded to the researchers and claimed that the data collection wasn’t intentional.

To protect yourself from such website trackers, it’s better to disable third-party trackers once and for all. It can be done through browser settings. It’s also recommended to change passwords frequently. Password managers could be a great tool for juggling several passwords that change regularly.