Now that it’s a holiday, you book a room at a Marriott chain hotel over the Internet. You go to the site, find the booking page and start filling the form. Your last name, first name, e-mail… Well, Marriott is a bit expensive. You tell yourself that one campsite will be enough before abandoning the reservation process and leaving the Marriott.com site. However, even if you do not verify anything, that you think you have not sent any data, your e-mail is collected by the simple fact of entering the online form!
A team of four researchers specializing in IT and privacy at Radboud University Nijmegen in the Netherlands, KU Leuven (Leuven) in Belgium, and the University of Lausanne (Switzerland) presented the discovery at the Eugenics Secure Colloquium in Boston between August 10 and 12. , 2022.
Collection by third party companies
By examining the behavior of no fewer than 100,000 contact details entry pages of the most prominent websites (hotels, media, e-commerce sites, etc.) in Europe and the US, they found that thousands of them collect personal data before Internet users click “send”. Did: 1,844 European sites and 2,950 on the American web And obviously, the internet has made no deal for it without users.
Strictly speaking, the collection is not done by the sites themselves but by third-party companies that specialize in marketing and ad targeting and whose “trackers” are spread all over the web. Companies like Taboola, Adroll, AddThis, SaleCycle, FullStory or even, better known, Criteo, Facebook (which specifically captures telephone numbers) or Yahoo.
We are talking about e-mail, in hashed form (encrypted) or not, name or telephone number. That’s not all: on 52 sites, even passwords are recovered, always before validation. In the latter case, the researchers immediately notified the respective sites, which corrected the opacity more than a technical bug.
Email, a privileged target
Data is sometimes exfiltrated if the form is completed but not validated; In other cases, all it takes is for the visitor to fill out a field and skip to the next line for data leakage; Or, again, have collections as you type a letter!
For Asuman Senol, a doctoral student at KU Leuven, an expert in online tracking and co-author of this study, Google’s announcement to end third-party cookies in Chrome by 2023 (trackers that currently allow a site to track Internet users wherever they go) Internet) and the search for stable identity data make e-mail a privileged target.
On the other hand, the responsibility of sites where this leak takes place through contact forms is not clear “Websites integrate third-party scripts for various reasons: traffic analysis, marketing, authentication… In some cases, developers don’t know exactly what kind of data third-party companies collect”, The researcher said. Moreover, certain cases of password collection are accidental, mainly due to a part of the code present in the React development framework and used by Yandex Metrica (a free web analytics service).
A “leak inspector”
However, in the face of these discoveries, the team also realized that there is no “Countermeasures to detect extortion attempts [de données personnelles]“, Research articles indicate. So it developed a browser extension dedicated to this task, called Leak Inspector (literally, Leak Inspector), so that developers can see what is happening on the sites they build using ready-made technical bricks. It is still very experimental and its code is free and open, intended for improvement. For example, Leak Inspector is currently not compatible with Firefox and Chrome browsers