According to security researchers, companies for tracking, marketing and analytics choose the email addresses of Internet users from web forms before sending them and without the consent of users. It is said that some of these firms have also inadvertently seized passwords from these forms. The register reports: In a research paper scheduled to appear at the Usenix ’22 Security Conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Akar (Redbud University), Matthias Humbert (Lausanne University) and Frederic Zuisderwen Borge (Radboud University) describe how they measured data processing in web forms on the 100,000 best websites in the Tranco research site rankings. Boffins have created their own software to measure the collection of email data and passwords from web forms – structured web input fields through which site visitors can enter data and send it to a local or remote application.
“Our analysis shows that users’ e-mail addresses fall into the domains of tracking, marketing and analytics before submitting the form and without the consent of 1,844 websites in the EU and 2,950 websites in the US,” the researchers said in a statement. that addresses may be unencrypted, encoded, compressed, or hashed depending on the provider provider. Most of the captured email addresses have been sent to known tracking domains, although Boffins say they have identified 41 tracking domains that are not on any of the popular lists. “In addition, we find random collection of passwords on 52 websites using third-party sessions,” the researchers said.