Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission


To appear at USENIX Security'22


Email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.

Paper » Source code » Browser add-on »