BTIBTI-2025-0002

HIGHBTI-C02DISCOVERED

8.1BTSS

ZoomInfo

ZoomInfo FormComplete - Pre-Submission Email Capture via Browser Autofill

Discovered

2025-11-25

Est. Deployments

10,000+

MITRE Technique

T1056

Trend

stable

Summary

ZoomInfo's FormComplete product captures email addresses from form fields before users click submit, including data populated by browser autofill. The script monitors input field changes and immediately transmits emails to ZoomInfo servers for validation, without any user submission action.

BTSS Score Breakdown

Exploitability

3.5/ 4

Data Sensitivity

2.5/ 3

Prevalence

1.5/ 2

Detection Difficulty

0.6/ 1

Technical Details

## How FormComplete Works 1. `formcomplete.js` loads and attaches event listeners to all `<input>` elements 2. When a field value changes (including browser autofill), the script detects it 3. If the value looks like an email, it's immediately POSTed to ZoomInfo 4. ZoomInfo validates the email against NeverBounce (email verification service) 5. All of this happens BEFORE the user clicks any submit button ## The User Experience A user visits a marketing page. Their browser autofills their email into a newsletter signup form. Without clicking anything, their email is transmitted to ZoomInfo and validated. The user has no idea this happened. ## Additional Concerning Behaviors On the same page load: - PerimeterX fingerprinting fires 400ms BEFORE OneTrust consent SDK loads - Sardine.ai behavioral biometrics collection with `enableBiometrics: true` - 118 unique domains contacted - Fraud detection session created before consent obtained

Code Evidence

javascriptws-assets.zoominfo.com/formcomplete.js

FormComplete input monitoring (conceptual reconstruction)

// formcomplete.js attaches to all inputs
document.querySelectorAll('input').forEach(input => {
  input.addEventListener('change', function(e) {
    const value = e.target.value;
    if (isEmail(value)) {
      sendToZoomInfo(value, formId);
    }
  });

  input.addEventListener('blur', function(e) {
    const value = e.target.value;
    if (isEmail(value)) {
      sendToZoomInfo(value, formId);
    }
  });
});

javascriptfrapi.zoominfo.com/assets/collector.min.d4021d2.html

Sardine.ai biometrics configuration (decoded from base64)

{
  "loaderInitTime": 1764084620894,
  "enableBiometrics": true,
  "enableDNS": true,
  "revision": "2025-10-28-d4021d2",
  "origin": "https://www.zoominfo.com",
  "collectorDomain": "frapi.zoominfo.com",
  "dBaseDomain": "d.sardine.ai"
}

Network Evidence

POSThttps://ws.zoominfo.com/formcomplete-internal/getNeverbounce

{"email":"clark@deployronin.com","formId":"79afc4d1-7040-4e49-945c-57ba17399b28"}

This request was captured during a visit to zoominfo.com/products/gtm-studio. The email was NOT submitted - it was browser autofill. No form was completed. The email was immediately transmitted and validated against NeverBounce.

POSThttps://collector-pxosx7m0dx.px-cloud.net/api/v2/collector

PerimeterX fingerprinting - fires BEFORE consent

GEThttps://*.d.sardine.ai/bg.png?h=...

Sardine.ai fingerprinting pixels (7 simultaneous requests)

Attack Parallel: Form Grabbers (Banking Trojans)

Zeus, SpyEye, and other banking trojans use "form grabbing" to intercept credentials before they reach legitimate servers. The technique hooks form events, captures input values, and exfiltrates data. FormComplete uses the identical technique: hook input events, capture email values, exfiltrate to ZoomInfo servers. The only difference is FormComplete is a "legitimate" product sold to enterprises.

Reference

Framework Mappings

MITRE ATT&CK

T1056

Input Capture

Tactic: Collection

PCI DSS 4.0

6.4.3

Script inventory and authorization

OWASP Client-Side

CS2: Data Leakage

Legal Touchpoints

GDPR Art. 6European Union

No lawful basis for processing. Capturing autofilled data without any user action cannot be based on consent (no action = no consent) or legitimate interest (too intrusive, not expected by users).

GDPR Art. 7European Union

Consent must be freely given, specific, informed, and unambiguous. Autofill capture meets none of these criteria.

CCPA 1798.100(b)California

Right to know what personal information is collected. Users have no idea their autofilled email is being captured and validated.

ePrivacy Directive Art. 5(3)European Union

Requires consent for accessing information stored on user equipment. Monitoring form field values to capture autofill data is accessing information from the user's browser.

Prevalence

10,000+

Estimated Deployments

Market Segments

Enterprise B2BSaaSTechnologyProfessional Services

Notable Deployments

ZoomInfo's own website
Enterprise customers using FormComplete product

Reproduction Steps

## Reproduction Steps

1. **Open Chrome DevTools** on the Network tab
2. **Enable "Preserve log"** to capture all requests
3. **Visit** https://www.zoominfo.com/products/gtm-studio
4. **Let browser autofill** populate any form fields
   - Do NOT click submit
   - Do NOT type anything manually
5. **Search Network tab** for "formcomplete" or "neverbounce"
6. **Observe**: Your autofilled email was transmitted without action

## What to Look For

- POST to `ws.zoominfo.com/formcomplete-internal/getNeverbounce`
- Request body contains `"email": "your@email.com"`
- This happens WITHOUT clicking submit

Remediation

immediate

Remove FormComplete script if deployed

Effort: trivial

short term

Audit all form handling scripts for pre-submit capture

Effort: moderate

long term

Implement consent-first form tracking

Effort: significant

References

researchMITRE ATT&CK T1056 - Input Capture

researchOWASP Client-Side Security Top 10

regulatoryICO Guidance on Cookies and Similar Technologies

Created: 2025-11-25Updated: 2025-11-25Version: 1

#pre-submit-capture#form-grabbing#autofill#high#zoominfo