Skip to main content
SpringerLink
Log in

You Shall Not Register! Detecting Privacy Leaks Across Registration Forms

  • Conference paper
  • First Online:
Computer Security (IOSEC 2019, MSTEC 2019, FINSEC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11981))

Abstract

Most of the modern web services offer their users the ability to be registered on them via dedicated registration pages. Most of the times, they use this method so the users can profit by accessing more content or privileged items. In these pages, users are typically requested to provide their names, email addresses, phone numbers and other personal information in order to create an account. As the purpose of the tracking ecosystem is to collect as many information and data from the user, this kind of Personally Identifiable Information (PII) might leak on the 3rd-Parties, when the users fill in the registration forms. In this work, we conduct a large-scale measurement analysis of the PII leakage via registration pages of the 200,000 most popular websites. We design and implement a scalable and easily replicable methodology, for detecting and filling registration forms in an automated way. Our analysis shows that a number of websites (\(\approx \)5%) leak PIIs to 3rd-Party trackers without any user’s consent, in a non-transparent fashion. Furthermore, we explore the techniques employed by 3rd-Parties in order to harvest user’s data, and we highlight the implications on user’s privacy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    By corpus we describe the set of sites that we succesully visited, identified and filled in the registration forms.

  2. 2.

    The description on their site contains the terms: visual way to understand your users, scrolling heatmaps, eye tracking, scroll heatmaps, replicate.

References

  1. Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. CCS 2014, pp. 674–689. ACM, New York (2014)

    Google Scholar 

  2. Englehardt, S., et al.: Cookies that give you away: the surveillance implications of web tracking. In: Proceedings of the 24th International Conference on World Wide Web. WWW 2015, Republic and Canton of Geneva, Switzerland, International World Wide Web Conferences Steering Committee, pp. 289–299 (2015)

    Google Scholar 

  3. Englehardt, S., Han, J., Narayanan, A.: I never signed up for this! privacy implications of email tracking. Proc. Priv. Enhanc. Technol. 2018(1), 109–126 (2018)

    Article  Google Scholar 

  4. Jay, M.: Top 9 Trending Web Development Technologies 2018 (2018). https://www.ipraxa.com/blog/web-development-technologies/

  5. Flatword Solutions: Forms Processing Services (2018). https://www.flatworldsolutions.com/data-management/forms-processing.php

  6. Solomos, K., Ilia, P., Ioannidis, S., Kourtellis, N.: \(\{\)TALON\(\}\): an automated framework for cross-device tracking detection. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (\(\{\)RAID\(\}\) 2019). (2020)

    Google Scholar 

  7. Starov, O., Gill, P., Nikiforakis, N.: Are you sure you want to contact us? Quantifying the leakage of pii via website contact forms. Proc. Priv. Enhanc. Technol. 2016(1), 20–33 (2016)

    Article  Google Scholar 

  8. Privacy team: The Trackers Who Steal (2018). https://whotracks.me/blog/trackers-who-steal.html

  9. Papadopoulos, E.P., Diamantaris, M., Papadopoulos, P., Petsas, T., Ioannidis, S., Markatos, E.P.: The long-standing privacy debate: mobile websites vs mobile apps. In: Proceedings of the 26th International Conference on World Wide Web, WWW 2017, pp. 153–162. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2017)

    Google Scholar 

  10. Papadopoulos, P., Rodriguez, P.R., Kourtellis, N., Laoutaris, N.: If you are not paying for it, you are the product: how much do advertisers pay to reach you? In: Proceedings of the 2017 Internet Measurement Conference, IMC 2017, pp. 142–156. ACM, New York (2017)

    Google Scholar 

  11. Krishnamurthy, B., Naryshkin, K., Wills, C.: Privacy leakage vs. protection measures: the growing disconnect. In: Proceedings of the Web, vol. 2, pp. 1–10 (2011)

    Google Scholar 

  12. Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 413–427. IEEE Computer Society, Washington, DC (2012)

    Google Scholar 

  13. Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, NSDI 2012, p. 12. USENIX Association, Berkeley (2012)

    Google Scholar 

  14. Olejnik, L., Minh-Dung, T., Castelluccia, C.: Selling off privacy at auction. In: Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  15. Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1388–1401. ACM, New York (2016)

    Google Scholar 

  16. Yu, Z., Macbeth, S., Modi, K., Pujol, J.M.: Tracking the trackers. In: Proceedings of the 25th International Conference on World Wide Web. WWW 2016, pp. 121–132. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2016)

    Google Scholar 

  17. Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: 25th USENIX Security Symposium (USENIX Security 2016). USENIX Association, Austin (2016)

    Google Scholar 

  18. Solomos, K., Ilia, P., Ioannidis, S., Kourtellis, N.: Clash of the trackers: measuring the evolution of the online tracking ecosystem. arXiv preprint arXiv:1907.12860 (2019)

  19. Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1

    Chapter  Google Scholar 

  20. Acar, G., et al.: FPDetective: dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS 2013, pp. 1129–1140. ACM, New York (2013)

    Google Scholar 

  21. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 541–555. IEEE Computer Society, Washington, DC (2013)

    Google Scholar 

  22. Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: Proceedings of the 24th International Conference on World Wide Web, WWW 2015, pp. 820–830. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2015)

    Google Scholar 

  23. Panchenko, A., et al.: Website fingerprinting at internet scale. In: NDSS (2016)

    Google Scholar 

  24. Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: Proceedings of Network & Distributed System Security Symposium (NDSS), Internet Society (2017)

    Google Scholar 

  25. Krishnamurthy, B., Wills, C.E.: On the leakage of personally identifiable information via online social networks. In: Proceedings of the 2nd ACM workshop on Online social networks, pp. 7–12. ACM (2009)

    Google Scholar 

  26. Mayer, J.: Tracking the trackers: where everybody knows your username. The Center for Internet and Society (2011)

    Google Scholar 

  27. Terkki, E., Rao, A., Tarkoma, S.: Spying on android users through targeted ads. In: 2017 9th International Conference on Communication Systems and Networks (COMSNETS), pp. 87–94 (2017)

    Google Scholar 

  28. Razaghpanah, A., et al.: Apps, trackers, privacy and regulators: a global study of the mobile tracking ecosystem. In: Proceedings of NDSS, NDSS 2018 (2018)

    Google Scholar 

  29. Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012, pp. 101–112. ACM, New York (2012)

    Google Scholar 

  30. Meng, W., Ding, R., Chung, S.P., Han, S., Lee, W.: The price of free: privacy leakage in personalized mobile in-apps ads. In: NDSS (2016)

    Google Scholar 

  31. Ren, J., Rao, A., Lindorfer, M., Legout, A., Choffnes, D.: Recon: revealing and controlling pii leaks in mobile network traffic. In: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services, pp. 361–374. ACM (2016)

    Google Scholar 

  32. Liu, B., Sheth, A., Weinsberg, U., Chandrashekar, J., Govindan, R.: Adreveal: improving transparency into online targeted advertising. In: Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks, HotNets-XII, pp. 12:1–12:7. ACM, New York (2013)

    Google Scholar 

  33. Lécuyer, M., et al.: Xray: enhancing the web’s transparency with differential correlation. In: USENIX Security Symposium, pp. 49–64 (2014)

    Google Scholar 

  34. Selenium browser automation. https://www.seleniumhq.org/

  35. Browsermob proxy. a free utility to help web developers watch and manipulate network traffic from their ajax applications. https://bmp.lightbody.net/

  36. Alexa: The top 500 sites on the web (2018). https://www.alexa.com/topsites/category/Top/

  37. Mozilla: The HTML autocomplete attribute (2018). https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete

  38. Princeton university: a lexical database for English (2018). https://wordnet.princeton.edu/

  39. Hotjar: The fast & visual way to understand your users (2018). https://www.hotjar.com/

  40. Inspectlet: stop guessing what your visitors want (2018). https://www.inspectlet.com/

  41. Mouseflow: Mouseflow reveals why your visitors aren’t converting into customers (2018). https://mouseflow.com/

Download references

Acknowledgments

The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under grand agreement No. 786669 (project CONCORDIA). The paper reflects only the authors’ views and the Agency and the Commission are not responsible for any use that may be made of the information it contains.

Author information

Authors and Affiliations

  1. FORTH, Heraklion, Greece

    Manolis Chatzimpyrros & Sotiris Ioannidis

  2. University of Illinois at Chicago, Chicago, USA

    Konstantinos Solomos

Authors
  1. Manolis Chatzimpyrros
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Konstantinos Solomos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sotiris Ioannidis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manolis Chatzimpyrros .

Editor information

Editors and Affiliations

  1. Industrial Systems Institute/Research Center ATHENA, Patras, Greece

    Apostolos P. Fournaris

  2. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    Manos Athanatos

  3. University of Patras, Patras, Greece

    Konstantinos Lampropoulos

  4. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    Sotiris Ioannidis

  5. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    George Hatzivasilis

  6. University of Milan, Milan, Italy

    Ernesto Damiani

  7. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  8. Fondazione Bruno Kessler, Trento, Italy

    Silvio Ranise

  9. University of Genoa, Genoa, Italy

    Luca Verderame

  10. Fondazione Bruno Kessler, Trento, Italy

    Alberto Siena

  11. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chatzimpyrros, M., Solomos, K., Ioannidis, S. (2020). You Shall Not Register! Detecting Privacy Leaks Across Registration Forms. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42051-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42050-5

  • Online ISBN: 978-3-030-42051-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation