We investigate data exfiltration by third-party scripts directly embedded on web pages. Specifically, we study three attacks: misuse of browsers’ internal login managers, social data exfiltration, and whole-DOM exfiltration. Although the possibility of these attacks was well known, we provide the first empirical evidence based on measurements of 300,000 distinct web pages from 50,000 sites. We extend OpenWPM’s instrumentation to detect and precisely attribute these attacks to specific third-party scripts. Our analysis reveals invasive practices such as inserting invisible login forms to trigger autofilling of the saved user credentials, and reading and exfiltrating social network data when the user logs in via Facebook login. Further, we uncovered password, credit card, and health data leaks to third parties due to wholesale collection of the DOM. We discuss the lessons learned from the responses to the initial disclosure of our findings and fixes that were deployed by the websites, browser vendors, third-party libraries and privacy protection tools.
 J. Ren, A. Rao, M. Lindorfer, A. Legout, and D. Choffnes, “Recon: Revealing and controlling pii leaks in mobile network traffic,” in Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 2016, pp. 361–374.
 A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill, “Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem,” in Network and Distributed System Security Symposium (NDSS). IEEE, 2018.
 I. Reyes, P. Wijesekera, J. Reardon, A. E. B. On, A. Razaghpanah, N. Vallina-Rodriguez, and S. Egelman, ““Won’t somebody think of the children?” examining COPPA compliance at scale,” Proceedings on Privacy Enhancing Technologies, vol. 2018, no. 3, pp. 63–83, 2018.
 S. Jain, M. Javed, and V. Paxson, “Towards mining latent client identifiers from network traffic,” Proceedings on Privacy Enhancing Technologies, vol. 2016, no. 2, pp. 100–114, 2016.
 O. Starov, P. Gill, and N. Nikiforakis, “Are you sure you want to contact us? quantifying the leakage of pii via website contact forms,” Proceedings on Privacy Enhancing Technologies, vol. 2016, no. 1, pp. 20–33, 2016.
 O. Starov and N. Nikiforakis, “Extended tracking powers: Measuring the privacy diffusion enabled by browser extensions,” in Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 2017, pp. 1481–1490.
 J. Brookman, P. Rouge, A. Alva, and C. Yeung, “Crossdevice tracking: Measurement and disclosures,” Proceedings on Privacy Enhancing Technologies, vol. 2017, no. 2, pp. 133–148, 2017.
 S. Zimmeck, J. S. Li, H. Kim, S. M. Bellovin, and T. Jebara, “A privacy analysis of cross-device tracking,” in Proceedings of the 26th USENIX Security Symposium, 2017.
 W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens, “Flowfox: a web browser with flexible and precise information flow control,” in Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 748–759.
 J. Ren, M. Lindorfer, D. J. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez, “Bug fixes, improvements,... and privacy leaks,” 2018.
 D. Zeber, S. Bird, C. Oliveira, W. Rudametkin, I. Segall, F. Wollsén, and M. Lopatka, “The representativeness of automated web crawls as a surrogate for human browsing,” in The Web Conference, 2020.
 S. S. Ahmad, M. D. Dar, M. F. Zaffar, N. Vallina-Rodriguez, and R. Nithyanand, “Apophanies or epiphanies? how crawlers impact our understanding of the web,” 2020.