To carry out this research, the team used a web crawler that finds and fills email and password fields, while monitoring network traffic for leaks and intercepting script access to the filled input fields. The research was a joint effort between researchers at KU Leuven, Radboud University, and the University of Lausanne.
In a follow-up investigation, researchers found that Meta (Facebook) and TikTok collect hashed personal information from web forms even when the user filling the form doesn’t submit it or give consent. Both Meta and TikTok have a ‘Pixel’ that can be placed on sites with a feature called Automatic Advanced Matching, which automatically collects hashed personal identifiers from web forms. These identifiers are then used to target advertisements on the companies’ respective platforms, measure conversions or create custom audiences for advertisers.
“We believe the leaks are due to Facebook’s script interpreting clicks on irrelevant buttons as ‘submit button clicked’…
