TechViews News …..
Just like most of you, I too really hate filling out web forms, especially on mobile devices. To help make this whole process faster, major browsers offer the “Autofill” feature that automatically fills out web form based on data you have previously entered in similar fields.
However, it turns out that an attacker can use this autofill feature against you and trick you into spilling your private information to hackers or malicious third parties.
As soon as you have typed or auto-filled anything into the online form, the website captures it automatically in the background using JavaScript, even if you haven’t clicked the Submit button.
During an investigation, Gizmodo has discovered that code from NaviStone used by hundreds of websites, invisibly grabs each piece of information as you fill it out in a web form before you could hit ‘Send’ or ‘Submit.’
NaviStone is an Ohio-based startup that advertises itself as a service to unmask anonymous website visitors and find out their home addresses. There are at least 100 websites that are using NaviStone’s code, according to BuiltWith, a service that tells you what tech sites employ.
Gizmodo tested dozens of those websites and found that majority of sites captured visitors’ email addresses only, but some websites also captured their personal information, like home addresses and other typed or auto-filled information.
How Websites Collect ‘Data’ Before Submitting Web Forms
Using JavaScript, the websites in question were sending user’s typed or auto-filled information of an online form to a server at “murdoog.com,” which is owned by NaviStone, leaving no option for people who immediately change their minds and close the page.
When the publication asked NaviStone that how it unmasks anonymous website visitors, the company denied revealing anything, saying that “its technology is proprietary and awaiting a patent.”
However, when asked whether email addresses are gathered in order to identify the person and their home addresses, the company’s chief operating officer Allen Abbott said NaviStone does not “use email addresses in any way to link with postal addresses or any other form of PII [Personal Identifiable Information].”
“Rather than use email addresses to generate advertising communications, we actually use the presence of an email address as a suppression factor, since it indicates that email, and not direct mail, is their preferred method of receiving advertising messages,” Abbott said.
After the story had gone live, NaviStone claims that it is planning to modify its data collection process. But still, it’s only modifying the collection process, not the fact that it’s collecting your highly personal identification and financial information.
And even worse, NaviStone is just one of multiple companies that websites use for registration and/or shopping enhancement.
In order to protect yourself from such websites collecting your data without your consent, you should consider disabling auto-fill form feature, which is turned on by default, in your browser, password manager or extension settings.
Here’s how to turn this feature off:
- In Internet Explorer → Click Tools in the upper right-hand corner, select Internet Options, under the Content tab, in the Autocomplete section, click the Settings button. Within this window, you can select the fields in which you’d like to store Autocomplete data by using the check boxes. This action turns Autocomplete On or Off based on what boxes are checked.
- In Chrome → Go to Settings, Show Advanced Settings at the bottom, and under the Passwords and Forms section uncheck Enable Autofill box to fill out web forms with a single click.
- In Opera, go to Settings → Autofill and turn it off.
- In Safari, go to Preferences and click on AutoFill to turn it off.
Think twice before filling your details into any web form, before it gets too late.
Be Safe – Backup Your Data Regularly!
**********
And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.
TechViews News 