New research shows that some of the world’s top websites collect data — including emails and passwords — from forms even if the user does not click the ‘Submit’ button.
Submission forms are nearly as old as the internet itself, providing a way for individuals to create accounts, sign in to those accounts, join mailing lists and more. The Submit button is a critical part of those forms, with an implied agreement that data will not be captured until it is clicked. Unfortunately, some of the top websites are collecting users’ data anyway, without the proper consent.
According to researchers from KU Leuven (Leuven, Belgium), Radboud University, and University of Lausanne, “users’ email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and before giving consent on 1,844 websites when visited from the EU and 2,950 when visited from the US.”
Interestingly, some 52 websites used third-party session replay scripts to capture passwords as well. Fortunately, all 52 rectified that specific problem when notified.
Not surprisingly, social media sites were some of the worst offenders, with both Meta and TikTok capturing hashed personal information from forms regardless of whether the user clicked Submit. Obviously the data collection occurred without the user’s consent.
Below is a list of some of the top sites that leaked email addresses to tracker domains (although some of these have since corrected the issue):
- businessinsider.com
- usatoday.com
- foxnews.com
- trello.com
- independent.co.uk
- theverge.com
- shopify
- marriot
- newsweek
- codecademy.com
- azcentral.com
“If there’s a Submit button on a form, the reasonable expectation is that it does something—that it will submit your data when you click it,” Güneş Acar, a professor and Radboud University researcher, and leader in the study, told Ars Technica. “We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”
“The privacy risks for users are that they will be tracked even more efficiently; they can be tracked across different websites, across different sessions, across mobile and desktop,” Acar added. “An email address is such a useful identifier for tracking, because it’s global, it’s unique, it’s constant. You can’t clear it like you clear your cookies. It’s a very powerful identifier.”
The researchers have created LeakInspector, a Firefox extension that will help detect when a form is collecting data without consent. Users concerned with their privacy should download the extension immediately.