[Rephrasing] Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission

 💡This is a reader's perspective on the paper written by Asuman Senol (from the University in Leuven) and published at the USENIX Security Symposium 2022.

Brief Description

The main idea behind the paper is that identify what the webpages do with the user credentials once they start typing them on the page forms. They do that by leveraging the DuckduckGo Tracker Radar Collectors which uses Chrome Devtools Protocol and a Network tracer to identify how the information is being sent do the server. While they focus only on the information sent to the tracker domains, they solve the challenge of encoded information by calculating many encodings beforehand and comparing that to the information sent through HTTP and Websockets 

Observations

Verifying if phishing websites also have this behavior of collecting stuff while it is being typed is a very nice idea and seems to be an open research GAP.

This paper also uses the Chrome DevTools Protocol (CDP) to capture the behavior of the webpage, which might be a good thing to try.

In Section 3.2 they mention that use the position of the buttons in the page to find out how the crawler can go to login pages. Even though it might seem to be a good idea, I can't figure out if the effort of making that tool is really usable.

I don't like the idea of restricting the capturing of the behavior only from tracker domains, I would like to see a perspective on benign domains as well, even if it might be a separate study.

One interesting topic is the idea that trackers behave differently based on user geolocation because some just collect information from clients that are in the US. I guess that it is still a research GAP to understand if phishing also has a different behavior from users in different locations.

Besides that, identifying if the behavior of phishing websites is different in mobile vs desktop environments is a nice research GAP, and might be interesting to find out.

Initial Questions

The first thing that popped into my mind was about the tool they use to collect those behaviors, which became clear through the description of the methodology.

Where do the experiment ideas come from?

I am a little in doubt about the beginning of the study, whether it was related to a motivation study published by Surya Mattu, or if it was related to the idea of using the DuckduckGo tool

What are the interesting ideas/results?

The attention to the GDPR rules is a very nice idea for experiments. Sending the requests and giving a description of the GDPR scope in this paper is a very nice result for the reader.

They use a tool called Mozilla Fathom, which identifies different parts of the page automatically (as a classifier?). Very interesting idea to identify email and password fields.

Another idea they had was related to the "Do you allow cookies" pop-up. On some pages, even with the user clicking on "No tracking", they still collect the information. Besides that, it is interesting to see some scenarios where the user still receives emails from webpages that secretly collect their emails.