‘Do I really need to give this website so much about me?’
That’s exactly what I usually think after filling but before submitting a web form online asking for my personal details to continue.
I am sure most of you would either close the whole tab or would edit already typed details (or filled up by browser’s auto-fill feature) before clicking ‘Submit’ — Isn’t it?
But closing the tab or editing your information hardly makes any difference because as soon as you have typed or auto-filled anything into the online form, the website captures it automatically in the background using JavaScript, even if you haven’t clicked the Submit button.
During an investigation, Gizmodo has discovered that code from NaviStone used by hundreds of websites, invisibly grabs each piece of information as you fill it out in a web form before you could hit ‘Send’ or ‘Submit.’
NaviStone is an Ohio-based startup that advertises itself as a service to unmask anonymous website visitors and find out their home addresses.
There are at least 100 websites that are using NaviStone’s code, according to BuiltWith, a service that tells you what tech sites employ.
Gizmodo tested dozens of those websites and found that majority of sites captured visitors’ email addresses only, but some websites also captured their personal information, like home addresses and other typed or auto-filled information.
Using JavaScript, the websites in question were sending user’s typed or auto-filled information of an online form to a server at “murdoog.com,” which is owned by NaviStone, leaving no option for people who immediately change their minds and close the page.
When the publication asked NaviStone that how it unmasks anonymous website visitors, the company denied revealing anything, saying that “its technology is proprietary and awaiting a patent.”
However, when asked whether email addresses are gathered in order to identify the person and their home addresses, the company’s chief operating officer Allen Abbott said NaviStone does not “use email addresses in any way to link with postal addresses or any other form of PII [Personal Identifiable Information].”
“Rather than use email addresses to generate advertising communications, we actually use the presence of an email address as a suppression factor, since it indicates that email, and not direct mail, is their preferred method of receiving advertising messages,” Abbott said.
Source: The Hacker Read