Anyone and everyone is going to be extra mindful of what information is shared digitally these days, and even most kids are aware of the fact that you can’t be entirely at ease about what you type into submission fields and then press ‘Enter’. You need to be mindful of what you share, but it turns out you need to be the same way before you even press the enter button at all. Many people may think they’ve smartly avoided any potential problems by backspacing over something they’ve typed and were about to submit, but it turns out the damage may already be done.
We’ll get to what exactly is at issue here, but before we do we should make clear that ‘leaks’ don’t always end up being what they are on purpose. Many times there is information exposed not because someone is choosing to do so, but rather because the information is contained in location that doesn’t actually have the security protocols owners / users will think that it does. Truth of the matter it is nearly impossible to be airtight with this stuff 100% of the time.
Here at 4GoodHosting we’re like any other good Canadian web hosting provider in that we like to share information with our customers anytime we find example of it that we know will have real significance with them. This is one of those scenarios, as nearly everyone is going to be choosing to voluntarily provide information about themselves when asked to do so online. Any way you can be more in the know about dos and don'ts when it comes to this is going to be helpful, so here we are for this week.
Made Available
A recent study that looked into the top 100k ranking websites is indicating that many are leaking information you enter in the site forms to third-party trackers, and that this may be happening ever before you press submit. The data that is being leaked may include personal identifiers, email addresses, usernames, passwords, along with messages that were entered into forms but deleted and never actually submitted.
This type of data leak is sneaky because until now internet users would assume that the information they type on websites isn't available unless they submit it. That IS true most of the time, but for almost 3% of all tested sites there is the possibility of once it’s typed out it’s already been made available and that’s the reality even if you don’t actually submit the info.
A crawler based on DuckDuckGo's Tracker Radar Collector tool was what was used to monitor exfiltration activities, and the results do confirm that this is very much a possibility and there’s not much if anything that could be seen as tip-off for users to indicate to them when this risk is present and where information should ideally not be entered into the field at all.
Nearly 19k of Sites
The crawler was equipped with a pre-trained machine-learning classifier that detected email and password fields as wall as making access to those fields interceptable. Then the test of 2.8 million pages found on the top 100,000 highest ranking sites in the world, and then found that of those 100k 1,844 websites let trackers exfiltrate email addresses before submission when visited from Europe. That is not such a high percentage, but for the same ratio in America it’s an entirely different story.
When visiting those same websites from the US, there were a full 2,950 sites collecting information before submission and in addition researchers determined 52 websites to be collecting passwords in the same way. It should be mentioned that some of them did make changes and efforts to improve security after being made aware of the research findings and informed that they were leaking.
But the logical next question here is who is receiving the data? We know that website trackers serve to monitor visitor activity, derive data points related to preferences, log interactions, and for each user an ID is created and one that is – supposedly - anonymous. Trackers are used by the sites to give a more personalized online experience to their users, and the value for them is having advertisers serve targeted ads to their visitors with an eye to increasing monetary gains.
Keystroke Monitoring
The bulk of these 3rd-party trackers are using scripts that monitor for keystrokes when inside a form. When this happens they then save the content, and collect it even before the user has pressed that submit button. The outfall of this then becomes having data entered on forms logged but losing the anonymity of trackers to push up privacy and security risks big time.
There are not a lot of these trackers out there, and most of the ones that are in operation are known by name. 662 sites were found to have LiveRamp’s trackers, 383 had Taboola, and Adobe’s Bizible was running on 191 of them. Further, Verizon was collecting data from 255 sites. All of this is paired with the understanding that the problem stems from a small number of trackers that are prevalent on the web.
So what is a person or organization to do? The consensus is the best way to deal with this problem is to block all 3rd-party trackers using your browser's internal blocker. A built-in blocker is standard for nearly all web browsers, and it is usually found in the privacy section of the settings menu.
Private email relay services are a smart choice to because they give users the capacity to generate pseudonymous email addresses. In the event someone does get their hands on it, identification won't be possible. And for those who want to be maximum proactive there is a browser add-on named Leak Inspector and it monitors exfiltration events on any site and provides warnings to users when there is a need for them.
