Bookmark: "Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission"

Sebastian Greger


This is another one of those papers that make your blood boil: through an experimental setup, the researchers found an astonishing amount of websites leaking email addresses entered by users to third party trackers …often even in cases where the user decides to not submit the form after all.

Email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.

The paper also discusses the legal aspects regarding GDPR, with their empirical data indicating that US users are a lot more likely to be tracked in this way. Ethical conduct on the web unfortunately remains a compliance issue for many, rather than thinking of the human beings using their services.

The browser extension featured on the page sounds like a neat tool for privacy audits as well (I haven’t yet tested it myself):

We developed LeakInspector to help publishers and end-users to audit third parties that harvest personal information from online forms without their knowledge or consent.

The unethical (and no doubt mostly illegal) extraction of data from unsubmitted forms has been subject of earlier discussion: