Website Forms Reported to be Collecting Data Even Before Submission
June 23, 2017
Shah Sheikh (1294 articles)
Share

Website Forms Reported to be Collecting Data Even Before Submission

‘Do I really need to give this website so much about me?’

That’s exactly what I usually think after filling but before submitting a web form online asking for my personal details to continue.

I am sure most of you would either close the whole tab or would edit already typed details (or filled up by browser’s auto-fill feature) before clicking ‘Submit’ — Isn’t it?

But closing the tab or editing your information hardly makes any difference because as soon as you have typed or auto-filled anything into the online form, the website captures it automatically in the background using JavaScript, even if you haven’t clicked the Submit button.

During an investigation, Gizmodo has discovered that code from NaviStone used by hundreds of websites, invisibly grabs each piece of information as you fill it out in a web form before you could hit ‘Send’ or ‘Submit.’

NaviStone is an Ohio-based startup that advertises itself as a service to unmask anonymous website visitors and find out their home addresses.

There are at least 100 websites that are using NaviStone’s code, according to BuiltWith, a service that tells you what tech sites employ.

Gizmodo tested dozens of those websites and found that majority of sites captured visitors’ email addresses only, but some websites also captured their personal information, like home addresses and other typed or auto-filled information.

How do Websites Collect ‘Data’ Before Submitting Web Forms?

Screen Shot 2017-06-23 at 6.04.12 PM

Using JavaScript, the websites in question were sending user’s typed or auto-filled information of an online form to a server at “murdoog.com,” which is owned by NaviStone, leaving no option for people who immediately change their minds and close the page.

When the publication asked NaviStone that how it unmasks anonymous website visitors, the company denied revealing anything, saying that “its technology is proprietary and awaiting a patent.”

However, when asked whether email addresses are gathered in order to identify the person and their home addresses, the company’s chief operating officer Allen Abbott said NaviStone does not “use email addresses in any way to link with postal addresses or any other form of PII [Personal Identifiable Information].”

Some websites using NaviStone’s code are collecting information on visitors who are not even their customers and do not share any relationship with the companies.

After the story had gone live, NaviStone agreed to no longer collect email addresses from visitors this way, as Abbott said, “While we believe our technology has been appropriately used, we have decided to change the system operation such that email addresses are not captured until the visitor hits the ‘submit’ button.”

Disable Auto-Fill; It’s Leaking Your Information!

In order to protect yourself from such websites collecting your data without your consent, you should consider disabling auto-fill form feature, which is turned on by default, in your browser, password manager or extension settings.

At the beginning this year, we also warned you about the Auto-fill feature, which automatically fills out web form based on data you have previously entered in similar fields but can be misused by attackers hiding fields (out of sight) in the web form and stealing your personal information without your knowledge.

Here’s how to turn this feature off in Chrome:

Go to Settings → Show Advanced Settings at the bottom, and under the Passwords and Forms section uncheck Enable Autofill box to fill out web forms with a single click.

In Opera, go to Settings → Autofill and turn it off.

In Safari, go to Preferences and click on AutoFill to turn it off.

Also, think twice before filling your details into any web form, before it gets too late.

Source | hackernews