A surprising number of websites include JavaScript keyloggers that collect everything you type as you type it, not just when you submit a form.
Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites, looking at scenarios in which a user is visiting a site while in the European Union and visiting a site from the United States. They found that 1,844 websites gathered an EU user’s email address without their consent, and a staggering 2,950 logged a US user’s email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.
After specifically crawling sites for password leaks in May 2021, the researchers also found 52 websites in which third parties, including the Russian tech giant Yandex, were incidentally collecting password data before submission. The group disclosed their findings to these sites, and all 52 instances have since been resolved.
“If there’s a Submit button on a form, the reasonable expectation is that it does something — that it will submit your data when you click it,” says Güneş Acar, a professor and researcher in Radboud University’s digital security group and one of the leaders of the study. “We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”
Research paper.
More Stories
Threat Actors Shift to JavaScript-Based Phishing Attacks
Cybercriminals are increasingly prioritizing script-based phishing techniques over one based on traditional malicious documents Read More
Cybersecurity Incident Affects Arkansas City Water Treatment Facility
Arkansas City’s water treatment facility faced a cyber incident on Sunday and has since switched to manual operations Read More
Warnings after new Valencia ransomware group strikes businesses and leaks data
A new ransomware operation has started to leak information it claims has been stolen from organisations it has compromised around...
New Octo2 Malware Variant Threatens Mobile Banking Security
Cybercriminals have been observed disguising Octo2 as legitimate apps like Google Chrome and NordVPN Read More
The AI Fix #17: Why AI is an AWFUL writer and LinkedIn’s outrageous land grab
In episode 17 of The AI Fix, our hosts meet the worst newsreaders in the world, Graham learns about Big...
14 Million Patients Impacted by US Healthcare Data Breaches in 2024
SonicWall found that data breaches caused by malware attacks on US healthcare organizations have affected 14 million people so far...