Leak Forms: Thousands of sites retrieve emails before checking a form

Leak Forms: Thousands of sites retrieve emails before checking a form

Many forms involve hacking into the Internet forms required to create an account and sending information without our permission. That’s it Reveals the survey of “Leak Forms” Conducted by four academic security experts. On thousands of websites, even if the user does not check the form, it will be saved once the email address is entered. In some rare cases, the password for the newly created account may be sent incorrectly.

In this example provided by the researchers, the account creation form of Gitlab.com (GitHub’s competitor) sends the form without verifying the email address. We can clearly see the email address in the browser console below when the form is still being filled out.

Theoretically, the information entered in the web form is sent only when the user chooses to submit it, usually at the push of a button. If the Internet user chooses not to check his record, he can cancel the operation by closing the webpage and everything he enters should not be saved by the site. In fact, thousands of websites violate this best practice and retrieve information as soon as it is entered. All web browsers are affected, including Safari.

This dishonest method allows websites to get multiple email addresses even if visitors do not subscribe to their site. These addresses can be used for statistical purposes, added to mailing lists or sold to third parties. The researchers automatically analyzed 100,000 of the most popular sites and found the practice in 2,950 in the United States and 1,844 in Europe, despite the total disregard for GDPR.

In 52 cases, the password was sent even after entering the form, but it was an error when the researchers sent the information. Error related to the use of “ready-made” scripts provided to websites by services that specialize in online advertising and marketing. Or companies such as Meta (formerly Facebook) and Dictoc, can obtain form information from third-party sites that use their tools.

The Canadian site of the Red Cross sends to TikTok, perhaps unaware that email addresses may have been included in a dedicated form in its mailing list. The address is “hash” here on SHA256, but on the other hand it is easy to find in plain text.

The researchers contacted Meta and TikTok, as well as the advertising services involved in the collection, to provide them with information, especially from a GDPR perspective. When they did a new analysis earlier this year, they noted a significant drop in the number of sites sending information from forms, at least in Europe. In a large number of cases the data sharing through the initial pop-up was not exchanged without first checking. However, this decline is of lesser importance in the United States, where regulations are more flexible.

This academic paperBut you can also see lists of the most popular sites found On this more accessible webpage. Source code of the tool responsible for analyzing sites Available on GitHub And you can use League Inspector, Web extension that warns if a site is affected. The extension does not meet Chrome’s requirements (it should access web requests made by one page) and should not be delivered directly to Google’s browser, but the version for Firefox should be provided by researchers.

Leave a Reply

Your email address will not be published. Required fields are marked *