Do you sign up for newsletters once in a while? Provide your name and email address to get a free copy of an ebook? Are you trying to sell your house, and you’ve asked for a quote online? So you (like anyone else) occasionally enter your personal data in an online form on a website. Usually website owners promise to never ever share your data, right? Well, they can’t keep that promise.

It turns out that your personal data may be shared with any website you visit.

To be fair, the website owners are not the ones to blame. Websites often use so-called landing pages to collect your personal data. Landing pages are specifically designed to convince visitors to submit their personal data to the website owner. Unfortunately, not every website owner is a great designer. Also, processing this data is not always easy. That’s why there are companies out there that help website owners to create the “perfect” landing page.

So technically, if you enter your personal data to sign up for a newsletter or to get that free copy of an ebook, chances are you’ve provided your data to one of several third-party companies, and then they send this information to the website owner. That’s all okay, unless one of these companies messes with the data.

Say hello to Instapage.com

Instapage is one of these companies that offers landing pages for website owners. On July 13th, they introduced a new feature — pre-filled landing page forms. The feature works like this:

When you submit data to a website using a landing page from Instapage this data is saved locally within your browser. When you visit a different website that also has a landing page from Instapage then your browser fills out the online form for you automatically using the locally stored data. Here is a promotional video introducing this feature:

If you think about it, this seems to be a great feature. Instead of manually typing all your personal data in online forms again and again, you can simply use the already stored information and let the browser fill out the form. You only have to click on the button to submit the data to the website owner. In theory the website owner should only get the data when you click the submit button. But there’s a catch:

Websites can bypass that click and get your data automatically.

The use of some lines of code can easily bypass that click and collect personal data from the browser. There is no need for the visitor to do anything! Let me clarify before we go on:

If you have sent data with an online form on or after July 13th, your data might be available to any other website you visit. Your data is drawn from your browser automatically. Without asking you. Without telling you.

Is this really an issue?

You might think: Is it really a problem if it’s a single company? After all, it’s just one company with a couple of customers, right? Does it matter?

It matters, because Instapage has more than 150,000 customers using their service. Disregarding the new pre-filled landing pages, Instapage is doing a fantastic job and they are very popular. No wonder “Instapage has grown to millions of collective landing page views per month” as they state on their site.

Even if you consider that only a small fraction of page views lead to a data submission, we are talking about 100,000 data submissions each month, or even more.

All the data submitted gets stored in the browser for other websites, gathered automatically in the background. Again, no asking for permission, no alerts!

If you are using this exploit as a website owner, your possibilities are endless.

Here are a couple of things you could do with a website that gets personal data from its visitors:

Want to collect the name and email address of all the visitors of your website (spam anyone)? Check!

Want to get the postal address of your visitors to send them some promotional material? Check!

Want the phone number of your visitors to give them a call? Yup.

And while we are at it, how about blackmailing your visitors if you are running a website that has some content your visitors don’t want to be linked with (like drugs, diseases …)?

Well, I think you get the idea.

Okay, what’s next?

Instapage needs to act immediately. They need to stop saving data in the browser if they can’t limit the access to the data. I don’t think that they can protect the data the way it should be protected. So, maybe they have to remove the feature. But until they find a secure way of handling the data, they should deactivate the current implementation.

As long as Instapage uses pre-filled forms, you have to be really careful.

Right now, you have to assume that everything you enter in an online form will be publicly available.

Think about the consequences. The more people know about this issue, the more people will resist entering data in an online form (because you can hardly tell if an online form is from Instapage). Website visitors, website owners and Instapage should have an interest in solving this issue ASAP.

But stopping the saving of data is just one part of the solution. It’s also imperative to make sure that the data which is already available will be erased. To achieve this, there are two obvious possibilities. First, the browser data could be deleted by Instapage when someone visits one of their forms. Alternatively, you could also delete the data in the browser yourself.

But deleting the data from your browser only helps if you don’t enter new data into online forms, because that data might be saved in your browser again. Therefore, Instapage needs to stop saving the data within the browser. And that’s what I’ve been trying to tell the company for a couple of weeks now.

And … nothing … has changed.

Instapage introduced and announced the new feature with a post on their blog on July 13th. I read that blog post the day after the release (July 14th), and sent an immediate alert to Instapage via Twitter.

I simply wanted to give them a heads-up, but that wasn’t successful. They either didn’t think about the possibility of bypassing the submit button, or even worse — they didn’t know about it.

So I sent a second warning providing an attack scenario (“the hacker”) and told them that the submit button is useless.

But they were still ignoring my warnings. They emphasize end-to-end encryption, which is as useless as the submit button:

They were not willing to challenge their own implementation, so I offered a demonstration. Seeing is believing, right?

A couple of days later, I sent them an email with the link to the test page I had prepared as a proof-of-concept, an explanation of how it works, and a copy of the code that I used. The test page checks whether there is data stored within the browser, fetches the data, and, instead of sending it to a hidden server, presents a little pop-up message showing the data.

Call me old-fashioned, but I was expecting an answer. Not immediately, but promptly. I haven’t heard anything, and I recently checked whether they received my email. They confirmed.

Unfortunately, that is the last thing that I got from Instapage. No email, nothing via Twitter — even though I asked for an update! They have been investigating for two weeks now, and it’s more than three weeks after my initial warnings! Come on, this is ridiculous!

Want proof?

I thought about posting the link to the test page right here, but I don’t want people using the exploit to collect personal data.

Frankly, the code that I have written for the test page is quite simple. If you know Javascript and HTML, that’s all you need. So, not linking to the test page will not stop the ones who know about this stuff, but it will stop the script kiddies. Instead, I’ve recorded a video to explain how it works.

As of today, the pre-filled landing page forms feature is still working. And this is unacceptable. If you agree with me, contact Instapage.com (@instapage) and let them know how you feel about this.

Spread the word! Recommend this story on Medium, forward this story to your friends or tweet a link to your Twitter followers. Make them aware of the current situation.

To stay up-to-date, follow me on medium.com/@sehnot or via @sehnot