Abstract
Most of the modern web services offer their users the ability to be registered on them via dedicated registration pages. Most of the times, they use this method so the users can profit by accessing more content or privileged items. In these pages, users are typically requested to provide their names, email addresses, phone numbers and other personal information in order to create an account. As the purpose of the tracking ecosystem is to collect as many information and data from the user, this kind of Personally Identifiable Information (PII) might leak on the 3rd-Parties, when the users fill in the registration forms. In this work, we conduct a large-scale measurement analysis of the PII leakage via registration pages of the 200,000 most popular websites. We design and implement a scalable and easily replicable methodology, for detecting and filling registration forms in an automated way. Our analysis shows that a number of websites (\(\approx \)5%) leak PIIs to 3rd-Party trackers without any user’s consent, in a non-transparent fashion. Furthermore, we explore the techniques employed by 3rd-Parties in order to harvest user’s data, and we highlight the implications on user’s privacy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
By corpus we describe the set of sites that we succesully visited, identified and filled in the registration forms.
- 2.
The description on their site contains the terms: visual way to understand your users, scrolling heatmaps, eye tracking, scroll heatmaps, replicate.
References
Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. CCS 2014, pp. 674–689. ACM, New York (2014)
Englehardt, S., et al.: Cookies that give you away: the surveillance implications of web tracking. In: Proceedings of the 24th International Conference on World Wide Web. WWW 2015, Republic and Canton of Geneva, Switzerland, International World Wide Web Conferences Steering Committee, pp. 289–299 (2015)
Englehardt, S., Han, J., Narayanan, A.: I never signed up for this! privacy implications of email tracking. Proc. Priv. Enhanc. Technol. 2018(1), 109–126 (2018)
Jay, M.: Top 9 Trending Web Development Technologies 2018 (2018). https://www.ipraxa.com/blog/web-development-technologies/
Flatword Solutions: Forms Processing Services (2018). https://www.flatworldsolutions.com/data-management/forms-processing.php
Solomos, K., Ilia, P., Ioannidis, S., Kourtellis, N.: \(\{\)TALON\(\}\): an automated framework for cross-device tracking detection. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (\(\{\)RAID\(\}\) 2019). (2020)
Starov, O., Gill, P., Nikiforakis, N.: Are you sure you want to contact us? Quantifying the leakage of pii via website contact forms. Proc. Priv. Enhanc. Technol. 2016(1), 20–33 (2016)
Privacy team: The Trackers Who Steal (2018). https://whotracks.me/blog/trackers-who-steal.html
Papadopoulos, E.P., Diamantaris, M., Papadopoulos, P., Petsas, T., Ioannidis, S., Markatos, E.P.: The long-standing privacy debate: mobile websites vs mobile apps. In: Proceedings of the 26th International Conference on World Wide Web, WWW 2017, pp. 153–162. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2017)
Papadopoulos, P., Rodriguez, P.R., Kourtellis, N., Laoutaris, N.: If you are not paying for it, you are the product: how much do advertisers pay to reach you? In: Proceedings of the 2017 Internet Measurement Conference, IMC 2017, pp. 142–156. ACM, New York (2017)
Krishnamurthy, B., Naryshkin, K., Wills, C.: Privacy leakage vs. protection measures: the growing disconnect. In: Proceedings of the Web, vol. 2, pp. 1–10 (2011)
Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 413–427. IEEE Computer Society, Washington, DC (2012)
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, NSDI 2012, p. 12. USENIX Association, Berkeley (2012)
Olejnik, L., Minh-Dung, T., Castelluccia, C.: Selling off privacy at auction. In: Network and Distributed System Security Symposium (NDSS) (2014)
Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1388–1401. ACM, New York (2016)
Yu, Z., Macbeth, S., Modi, K., Pujol, J.M.: Tracking the trackers. In: Proceedings of the 25th International Conference on World Wide Web. WWW 2016, pp. 121–132. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2016)
Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: 25th USENIX Security Symposium (USENIX Security 2016). USENIX Association, Austin (2016)
Solomos, K., Ilia, P., Ioannidis, S., Kourtellis, N.: Clash of the trackers: measuring the evolution of the online tracking ecosystem. arXiv preprint arXiv:1907.12860 (2019)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1
Acar, G., et al.: FPDetective: dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS 2013, pp. 1129–1140. ACM, New York (2013)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 541–555. IEEE Computer Society, Washington, DC (2013)
Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: Proceedings of the 24th International Conference on World Wide Web, WWW 2015, pp. 820–830. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2015)
Panchenko, A., et al.: Website fingerprinting at internet scale. In: NDSS (2016)
Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: Proceedings of Network & Distributed System Security Symposium (NDSS), Internet Society (2017)
Krishnamurthy, B., Wills, C.E.: On the leakage of personally identifiable information via online social networks. In: Proceedings of the 2nd ACM workshop on Online social networks, pp. 7–12. ACM (2009)
Mayer, J.: Tracking the trackers: where everybody knows your username. The Center for Internet and Society (2011)
Terkki, E., Rao, A., Tarkoma, S.: Spying on android users through targeted ads. In: 2017 9th International Conference on Communication Systems and Networks (COMSNETS), pp. 87–94 (2017)
Razaghpanah, A., et al.: Apps, trackers, privacy and regulators: a global study of the mobile tracking ecosystem. In: Proceedings of NDSS, NDSS 2018 (2018)
Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012, pp. 101–112. ACM, New York (2012)
Meng, W., Ding, R., Chung, S.P., Han, S., Lee, W.: The price of free: privacy leakage in personalized mobile in-apps ads. In: NDSS (2016)
Ren, J., Rao, A., Lindorfer, M., Legout, A., Choffnes, D.: Recon: revealing and controlling pii leaks in mobile network traffic. In: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services, pp. 361–374. ACM (2016)
Liu, B., Sheth, A., Weinsberg, U., Chandrashekar, J., Govindan, R.: Adreveal: improving transparency into online targeted advertising. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks, HotNets-XII, pp. 12:1–12:7. ACM, New York (2013)
Lécuyer, M., et al.: Xray: enhancing the web’s transparency with differential correlation. In: USENIX Security Symposium, pp. 49–64 (2014)
Selenium browser automation. https://www.seleniumhq.org/
Browsermob proxy. a free utility to help web developers watch and manipulate network traffic from their ajax applications. https://bmp.lightbody.net/
Alexa: The top 500 sites on the web (2018). https://www.alexa.com/topsites/category/Top/
Mozilla: The HTML autocomplete attribute (2018). https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete
Princeton university: a lexical database for English (2018). https://wordnet.princeton.edu/
Hotjar: The fast & visual way to understand your users (2018). https://www.hotjar.com/
Inspectlet: stop guessing what your visitors want (2018). https://www.inspectlet.com/
Mouseflow: Mouseflow reveals why your visitors aren’t converting into customers (2018). https://mouseflow.com/
Acknowledgments
The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under grand agreement No. 786669 (project CONCORDIA). The paper reflects only the authors’ views and the Agency and the Commission are not responsible for any use that may be made of the information it contains.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Chatzimpyrros, M., Solomos, K., Ioannidis, S. (2020). You Shall Not Register! Detecting Privacy Leaks Across Registration Forms. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-42051-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42050-5
Online ISBN: 978-3-030-42051-2
eBook Packages: Computer ScienceComputer Science (R0)