This repository contains the code for our paper titled Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission.
The paper is based on a measurement of email and password collection that occurs before the form submission on the top 100,000 websites. We evaluate the effect of user location (EU vs. US), browser configuration (desktop vs. mobile), and interaction with consent dialogs (accept all/reject all/no interaction).
For a more detailed overview please visit the project's homepage.
Code: https://github.com/asumansenol/leaky-forms-crawler
A high-level overview of our crawler is given below:
We extended DuckDuckGo’s Tracker Radar Collector to measure email and password exfiltration. Our crawler was capable of detecting and filling email and password fields, and intercepting script access to filled input fields.
Email field detection: In order to identify email fields, we integrated into our crawler Fi
78F6
refox Relay’s Fathom-based email field classifier. Using this model allowed us to identify 76% more email fields than we would detect by simply searching for input fields with type email.
Consent automation: We integrated Consent-O-Matic into our crawler to investigate the effect of users’ consent preferences. Consent-O-Matic (Nouwens et al.) is a browser extension that can recognize and interact (e.g., accept or reject cookies) with various Consent Management Provider (CMP) pop-ups. We configured Consent-O-Matic to log detected CMPs, and interact with the CMP.
The data from ten crawls performed between May 2021 and June 2021 is available for download from this link.
Code: https://github.com/asumansenol/leaky-forms/tree/main/leak-detector
Leak detector module searches for the filled email address and the password, and their various encodings and hashes in the HTTP traffic. The module is based on Englehardt et al.’s method, but it was improved to detect novel ways to exfiltrate the personal data.
Code: https://github.com/asumansenol/leaky-forms/tree/main/analysis
You can find the Jupyter notebooks, pickles and CSVs that are used in the analysis folder.
Code: https://github.com/leaky-forms/leak-inspector
It is a proof-of-concept browser add-on that warns users against sniff attempts and blocks requests containing personal information. You can find the source code of this add-on in this repo.
@inproceedings{senol2022leaky,
title={Leaky Forms: a study of email and password exfiltration before form submission},
author={Senol, Asuman and Acar, Gunes and Humbert, Mathias and Borgesius, Frederik Zuiderveen},
booktitle={31st USENIX Security Symposium (USENIX Security 22)},
pages={1813--1830},
year={2022}
}