Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission (USENIX Security'22)

submited by

Style Pass

2022-05-15 01:30:07

Email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.

Sample screen captures - Leaks to Meta and TikTok due to Automatic Advanced Matching

1. Site rank: Tranco rank
2. Encoding: Encoding or hash algorithm used when sending the email
3. Website: Hostname of the initially visited website (before a potential redirection)
4. Request Domain: eTLD+1 of the leaky request URL
5. Third Party Entitiy: Owner of the tracker domain
6. Tracker Category: Category of the tracker domain, this information comes from DuckDuckGo's Tracker Radar dataset
7. Blocklist: Blocklist that detected the tracker. WTM: whotracks.me, uBO: uBlock Origin, DDG: DuckDuckGo, DS: Disconnect
8. Page URL: (last_page) URL of the page where our crawler filled the email field
9. XPath: XPath of the filled email field
10. Id:ID of the email element that our crawler filled
(10, 11 & 12 identify the leaking page and input elements. They can be used for debugging, reproduction etc.)