Top websites hosted keylogger scripts that grab data before you click submit

A study conducted by researchers from KU Leuven, Radboud University, and the University of Lausanne found that 1,844 top websites collected European users’ email addresses without their consent.

They also found that 2,950 of them automatically logged the email addresses of US users in some form.

The researchers noted that it is not the website itself logging the data in most cases but third-party marketing and analytics services.

“If there’s a Submit button on a form, the reasonable expectation is that it does something — that it will submit your data when you click it,” Ars Technica quoted one of the study leaders, Güneş Acar, as saying.

“We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”

The team analysed the top 100,000 websites, comparing scenarios for users connecting from the EU and US.

While analysing websites, the research team found 52 websites through which third parties were collecting password data before submission.

The third parties included the Russian tech company Yandex. However, the issues have been resolved since the research team notified the websites of its findings.

According to the study, email addresses are collected via means similar to a keylogger — a malicious program that records what a user types.

However, the researchers noted that it varied between websites, with some recording keystroke by keystroke and others grabbing complete submissions.

Asuman Senol, another researcher on the team, added that some sites grab the data you have entered when you click on the following field.

The group also discovered that Meta Pixel and TikTok Pixel — marketing trackers embedded on websites to track users and show them ads — were grabbing hashed email addresses.

Both marketing trackers’ documentation claims that customers had to switch on “automatic advanced matching” to trigger data collection when a user submits a form.

However, the researchers found that for US users, 8,438 sites were potentially leaking data to Meta, and 7,739 sites may be affected for EU users.

Now read: New rules for .ZA domains a “smokescreen money-grab”

Latest news

Partner Content

Show comments


Share this article
Top websites hosted keylogger scripts that grab data before you click submit