A recent study reveals that several thousand sites are able to spy on everything you type on the keyboard. For this, no need to send a form, just fill in the fields for the data to be recorded. Identifiers and passwords can thus be recovered even without logging into their account.
We already suspected that we are not safe anywhere on the Internet, but this latest study will not help matters. The theory would be that for a site to record the data sent to it, it must first have clicked on some button. Therefore, anything typed in the forms cannot be saved until the user decides. That’s for the theory, but the reality is quite different.
A study by the KU Leuven, Radboud and Lausanne universities shows that a surprising number of sites record all your data typed on the keyboard as soon as you are connected to them. 1844 of these sites have been registered in the European Union, compared to 2950 in the United States. A difference that can be explained by the greater vigilance of Europe in terms of privacy on the Internet, in particular through the GDPR.
Related: Kaspersky Antivirus has helped sites spy on you for years
Be careful what you type on websites
In addition, the researchers point out that some sites record keyboard data without doing it on purpose. These behaviors can indeed be triggered by third-party ad trackers. In total, they spotted 52 of this type, including the site of the Russian giant Yandex. The study reports that all the administrators of these platforms were provided with the flaw and all have since been corrected.
“We were super surprised by these results. We thought we might find a few hundred websites where your email is collected before you submit it, but this far exceeded our expectations”, commented Güneş Acar, a researcher at Radboud University. Especially since the operation differs according to the sites: some record the slightest letter typed while others will rather focus on character sequences.
It goes without saying that your email addresses and passwords are damaged by this discovery. “An email address is such a useful identifier for tracking, because it is global, unique, constant. You cannot delete it like you delete your cookies. It is a very powerful identifier», explains Güneş Acar. For information, researchers have developed a Firefox extension called LeakInspect which can detect these data leaks.
Source : Wired