Sat. Jun 25th, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    he flag
    ja flag
    lv flag
    pl flag
    pt flag
    es flag
    uk flag

    Content Assessment: Challenged by Leaky Forms? A Study of Email and Password Exfiltration

    Information - 95%
    Insight - 97%
    Relevance - 92%
    Objectivity - 94%
    Authority - 92%

    94%

    Excellent

    A short percentage-based assessment of the qualitative benefit of the recent research highlighting email and password exfiltration before online form submissions.

    Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

    To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.


    Background Note: Appearing at USENIX Security’22, the report Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission notes that email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms is misused by online trackers, the authors of this new report present a measurement of email and password collection that occurs before form submission on the top 100K websites. Given the potential privacy and security implications of leaky forms, this research may be beneficial for cybersecurity, information governance, and legal discovery professionals seeking to better understand the challenges and consequences of email and password exfiltration prior to form submissions.

    Research Report*

    Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission

    By Asuman Senol, Gunes Acar, Mathias Humbert, and Frederik Zuiderveen Borgesius

    Report Abstract

    Web users enter their email addresses into online forms for a variety of reasons, including signing in or signing up for a service, or subscribing to a newsletter. While enabling such functionality, email addresses typed into forms can also be collected by third-party scripts even when users change their minds and leave the site without submitting the form. Email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms is misused by online trackers, we present a measurement of email and password collection that occurs before the form submission on the top 100,000 websites. We evaluate the effect of user location, browser configuration, and inter-action with consent dialogs by comparing results across two vantage points (EU/US), two browser configurations (desktop/mobile), and three consent modes. Our crawler finds and fills email and password fields, monitors the network traffic for leaks, and intercepts script access to filled input fields. Our analyses show that users’ email addresses are exfiltrated to tracking, marketing, and analytics domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2, 950 websites in the US crawl. While the majority of email addresses are sent to known tracking domains, we further identify 41 tracker domains that are not listed by any of the popular blocklists. Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts.

    Report Conclusion

    We presented a large-scale study of email and password exfiltration by online trackers before form submission. In order to address the challenges of finding and filling input fields, we integrated into our crawler a pre-trained ML classifier that detects email fields. Our results—likely lower bounds—show that on thousands of sites email addresses are collected from login, registration, and newsletter subscription forms; and sent to trackers before users submit any form or give their consent. Further, we found tens of sites where passwords are incidentally collected by third parties providing session replay services. Comparing results from the EU and the US vantage points, we found that 60% more websites leaked users’ emails to trackers, when visited from the US. Measuring the effect of consent choices on the exfiltration, we found their effect to be minimal. Based on our findings, users should assume that the personal information they enter into web forms may be collected by trackers—even if the form is never submitted. Considering its scale, intrusiveness, and unintended side effects, the privacy problem we investigate deserves more attention from browser vendors, privacy tool developers, and data protection agencies.

    Read the original overview.


    Complete Report – Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission (PDF) – Mouseover to Scroll

    Leaky Forms- A Study of Email and Password Exfiltration Before Form Submission

    Read the original paper.


    *Shared as Open Access Media by USENIX – The Advanced Computing Systems Association.

    Reference: @inproceedings, 2022. Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission. 31st USENIX Security Symposium (USENIX Security 22). [online] USENIX Association. Available at: <https://www.usenix.org/system/files/sec22fall_senol.pdf> [Accessed 16 May 2022].

    Additional Reading

    Source: ComplexDiscovery

     

    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    Early Lessons from the Cyber War: A New Microsoft Report on Defending Ukraine

    According to a new report from Microsoft, the Russian invasion relies...

    From Continuity to Culture? Preserving and Securing Ukrainian Public and Private Sector Data

    Highlighted by ComplexDiscovery prior to the start of the current Ukrainian...

    Considering Access Control Policy Models? Blockchain for Access Control Systems (NIST)

    As current information systems and network architectures evolve to be more...

    Friends in Low Places? The 2022 Data Breach Investigations Report from Verizon

    The 15th Annual Data Breach Investigations Report (DBIR) from Verizon looked...

    TCDI to Acquire Aon’s eDiscovery Practice

    According to TCDI Founder and CEO Bill Johnson, “For 30 years,...

    Smarsh to Acquire TeleMessage

    “As in many other service industries, mobile communication is ubiquitous in...

    A Milestone Quarter? DISCO Announces First Quarter 2022 Financial Results

    According to Kiwi Camara, Co-Founder and CEO of DISCO, “This quarter...

    New from Nuix? Macquarie Australia Conference 2022 Presentation and Trading Update

    From a rebalanced leadership team to three concurrent horizons to drive...

    On the Move? 2022 eDiscovery Market Kinetics: Five Areas of Interest

    Recently ComplexDiscovery was provided an opportunity to share with the eDiscovery...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    Five Great Reads on Cyber, Data, and Legal Discovery for June 2022

    From eDiscovery ecosystem players and pricing to data breach investigations and...

    Five Great Reads on Cyber, Data, and Legal Discovery for May 2022

    From eDiscovery pricing and buyers to cyberattacks and incident response, the...

    Five Great Reads on Cyber, Data, and Legal Discovery for April 2022

    From cyber attack statistics and frameworks to eDiscovery investments and providers,...

    Five Great Reads on Cyber, Data, and Legal Discovery for March 2022

    From new privacy frameworks and disinformation to business confidence and the...

    Hot or Not? Summer 2022 eDiscovery Business Confidence Survey

    Since January 2016, 2,701 individual responses to twenty-six quarterly eDiscovery Business...

    Inflection or Deflection? An Aggregate Overview of Eight Semi-Annual eDiscovery Pricing Surveys

    Initiated in the winter of 2019 and conducted eight times with...

    Feeding the Frenzy? Summer 2022 eDiscovery Pricing Survey Results

    Initiated in the winter of 2019 and conducted eight times with...

    Surge or Splurge? Eighteen Observations on eDiscovery Business Confidence in the Spring of 2022

    In the spring of 2022, 63.5% of survey respondents felt that...