Leaky forms: Thousands of websites share personal data with advertisers, study shows

Thousands of websites hosting online forms are capturing data entered into them live before submission and then leaking the identifying data to third-party data brokers, advertisers and marketing companies.

The revelation was made in a new study by researchers at KU Leuven, Radboud University and Lausanne University. It found that users' email addresses are exfiltrated to these third parties before the forms are submitted and before consent was given on 1,844 websites visited from the EU and 2,950 visited from the US.

“We found incidental password collection on 52 websites by third-party session replay scripts,” the researchers wrote in their findings, adding that these issues were later fixed thanks to their disclosures.

“In a follow-up investigation, we found that Meta (formerly Facebook) and TikTok collect hashed personal information from web forms even when the user does not submit the form and does not give consent.”

Apart from Meta and Tiktok, other top websites where email addresses were being leaked to tracker domains include many familiar names: USA Today, Trello, Independent UK, Shopify and Marriot were the top five for EU visitors. 

Other sites in the top 10 include the websites for Newsweek, Prezi and Code Academy, the last two being popular sites for students. 

“According to Meta's and TikTok's documentation, Automatic Advanced Matching should trigger data collection when a user submits a form. We found that unlike what is claimed, both Meta and TikTok Pixel collect hashed personal data when the user clicks links or buttons that in no way resemble a submit button,” the researchers found.

“In fact, Meta and TikTok scripts don't even try to recognise submit buttons, or listen to form submit events. You can view their overly broad and suspiciously similar list of selectors, which designates what page elements will trigger data collection  – that means Meta and TikTok Pixel collect hashed personal information, even when a user decides to abandon a form, and clicks a button or link to navigate away from the page.”

Speaking to the monthly magazine Wired, Güneş Acar, a professor and researcher at Radboud University's Digital Security Group, said they were surprised by the results of their study.

“We thought we would maybe find a few hundred websites where your email is collected before you submit it, but this far exceeded our expectations,” Acar said.

The fashion and beauty sectors were the most common sites with such behaviour, both in the US and in Europe, followed in second place by online shopping sites.

In terms of who was collecting the data from the leaky websites, in the EU, the top five offenders were Taboola, Adobe, FinStory, Awin and Yandex. Meta and TikTok were also the two largest companies among the tracking domains that collected user data, mainly emails.

The tracking domains collecting passwords in the EU were Yandex.com, Yandex.ru, mixpanel.com and lr-ingest.io.

The sites concerned reportedly corrected their online behaviour after the study was disclosed, but researchers were clear that “based on our findings, users should assume that the personal information they enter into web forms can be collected by trackers - even if the form is never submitted.”