BTIBTI-2025-0002

HIGHPUBLISHEDBTI-C02 BTI-C09 BTI-C06 BTI-C10

8.1BTSS

ZoomInfo

ZoomInfo FormComplete - Pre-Submission Email Capture via Browser Autofill

Version

Discovered

2025-11-25

Est. Deployments

10,000+

VIDB

View Vendor Profile →

THE TAKE

ZoomInfo's FormComplete product captures email addresses from form fields before users click submit, including data populated by browser autofill. The script monitors input field changes and immediately transmits emails to ZoomInfo servers for validation, without any user submission action.

This advisory exists to warn companies running ZoomInfo on their sites. We do not notify vendors. We do not provide remediation windows. If you're using this vendor, this is your evidence.

//PREVALENCE

10,000+

Estimated Deployments

Market Segments

Enterprise B2BSaaSTechnologyProfessional Services

Notable Deployments

ZoomInfo's own website
Enterprise customers using FormComplete product

//IF_YOU_ARE_RUNNING_THIS

If You're Running ZoomInfo

immediate

Remove FormComplete script if deployed

Effort: trivial

short term

Audit all form handling scripts for pre-submit capture

Effort: moderate

long term

Implement consent-first form tracking

Effort: significant

//REVENUE_IMPACT

What It Costs You

CAC Subsidization

Visitor data captured on a site can flow into data broker networks and identity graphs, eventually surfacing in competitor prospecting tools. The original company paid to acquire the traffic; competitors pay pennies to intercept the lead.

Signal Corruption

Overlapping tracking mechanisms corrupt attribution data. Multiple sources claim credit for single conversions. Pipeline metrics diverge from reality. Marketing decisions get made on numbers that can’t be trusted.

Legal Tail Risk

Pre-consent data collection, undisclosed data sharing, and consent signal violations create regulatory exposure. Class actions and regulatory fines can exceed entire annual marketing budgets. Liability sits with the site owner, not the vendor.

GTM Attack Surface

Third-party scripts execute with full privileges on every page load. Dangerous code patterns, external dependencies, and data interception turn marketing infrastructure into attack vectors. One compromised dependency compromises the entire site.

//THE_MECHANISMS_OF_TAKING

BTI-C: Behavioral Codes

BTI-C09Consent Bypass

“They take data before your users can say no.”

BTI-C06Behavioral Biometrics

“They take your users' behavior patterns and fingerprint them.”

BTI-C10Fingerprinting

“They take device signatures to track users who block cookies.”

//WHY_THIS_MATTERS

Attack Parallel: Form Grabbers (Banking Trojans)

Zeus, SpyEye, and other banking trojans use "form grabbing" to intercept credentials before they reach legitimate servers. The technique hooks form events, captures input values, and exfiltrates data. FormComplete uses the identical technique: hook input events, capture email values, exfiltrate to ZoomInfo servers. The only difference is FormComplete is a "legitimate" product sold to enterprises.

Reference

//BTSS_BREAKDOWN

BTSS Score Breakdown

Exploitability

3.5/ 4

Data Sensitivity

2.5/ 3

Prevalence

1.5/ 2

Detection Difficulty

0.6/ 1

//TECHNICAL_EVIDENCE

Technical Evidence

## How FormComplete Works 1. `formcomplete.js` loads and attaches event listeners to all `<input>` elements 2. When a field value changes (including browser autofill), the script detects it 3. If the value looks like an email, it's immediately POSTed to ZoomInfo 4. ZoomInfo validates the email against NeverBounce (email verification service) 5. All of this happens BEFORE the user clicks any submit button ## The User Experience A user visits a marketing page. Their browser autofills their email into a newsletter signup form. Without clicking anything, their email is transmitted to ZoomInfo and validated. The user has no idea this happened. ## Additional Concerning Behaviors On the same page load: - PerimeterX fingerprinting fires 400ms BEFORE OneTrust consent SDK loads - Sardine.ai behavioral biometrics collection with `enableBiometrics: true` - 118 unique domains contacted - Fraud detection session created before consent obtained

Code Evidence

javascriptws-assets.zoominfo.com/formcomplete.js

FormComplete input monitoring (conceptual reconstruction)

// formcomplete.js attaches to all inputs
document.querySelectorAll('input').forEach(input => {
  input.addEventListener('change', function(e) {
    const value = e.target.value;
    if (isEmail(value)) {
      sendToZoomInfo(value, formId);
    }
  });

  input.addEventListener('blur', function(e) {
    const value = e.target.value;
    if (isEmail(value)) {
      sendToZoomInfo(value, formId);
    }
  });
});

javascriptfrapi.zoominfo.com/assets/collector.min.d4021d2.html

Sardine.ai biometrics configuration (decoded from base64)

{
  "loaderInitTime": 1764084620894,
  "enableBiometrics": true,
  "enableDNS": true,
  "revision": "2025-10-28-d4021d2",
  "origin": "https://www.zoominfo.com",
  "collectorDomain": "frapi.zoominfo.com",
  "dBaseDomain": "d.sardine.ai"
}

Network Evidence

POSThttps://ws.zoominfo.com/formcomplete-internal/getNeverbounce

{"email":"clark@deployronin.com","formId":"79afc4d1-7040-4e49-945c-57ba17399b28"}

This request was captured during a visit to zoominfo.com/products/gtm-studio. The email was NOT submitted - it was browser autofill. No form was completed. The email was immediately transmitted and validated against NeverBounce.

POSThttps://collector-pxosx7m0dx.px-cloud.net/api/v2/collector

PerimeterX fingerprinting - fires BEFORE consent

GEThttps://*.d.sardine.ai/bg.png?h=...

Sardine.ai fingerprinting pixels (7 simultaneous requests)

//EVIDENCE_PACKAGE

Evidence Package

Reproduction Steps

## Reproduction Steps

1. **Open Chrome DevTools** on the Network tab
2. **Enable "Preserve log"** to capture all requests
3. **Visit** https://www.zoominfo.com/products/gtm-studio
4. **Let browser autofill** populate any form fields
   - Do NOT click submit
   - Do NOT type anything manually
5. **Search Network tab** for "formcomplete" or "neverbounce"
6. **Observe**: Your autofilled email was transmitted without action

## What to Look For

- POST to `ws.zoominfo.com/formcomplete-internal/getNeverbounce`
- Request body contains `"email": "your@email.com"`
- This happens WITHOUT clicking submit

//LEGAL_TOUCHPOINTS

Legal Touchpoints

GDPR Art. 6European Union

No lawful basis for processing. Capturing autofilled data without any user action cannot be based on consent (no action = no consent) or legitimate interest (too intrusive, not expected by users).

GDPR Art. 7European Union

Consent must be freely given, specific, informed, and unambiguous. Autofill capture meets none of these criteria.

CCPA 1798.100(b)California

Right to know what personal information is collected. Users have no idea their autofilled email is being captured and validated.

ePrivacy Directive Art. 5(3)European Union

Requires consent for accessing information stored on user equipment. Monitoring form field values to capture autofill data is accessing information from the user's browser.

//CITATION_TEMPLATES

Citation Templates

For Contracts / DPAs

“Vendor shall not engage in behaviors classified under BTI-2025-0002 (ZoomInfo), including BTI-C02 (BTI-C02).”

For Compliance Reports

“BTI Advisory BTI-2025-0002 documents ZoomInfo engaging in BTI-C02 (BTSS 8.1, HIGH).”

For Email / Communication

“We have identified ZoomInfo as exhibiting BTI-C02 behavior per BTI Advisory BTI-2025-0002. Full details: deployblackout.com/bti/BTI-2025-0002”

//RELATED_ADVISORIES

BTI-2025-0006

//FRAMEWORK_MAPPINGS

MITRE ATT&CK

T1056

Input Capture

Tactic: Collection

PCI DSS 4.0

6.4.3

Script inventory and authorization

OWASP Client-Side

CS2: Data Leakage

//REFERENCES

researchMITRE ATT&CK T1056 - Input Capture

researchOWASP Client-Side Security Top 10

regulatoryICO Guidance on Cookies and Similar Technologies

Created: 2025-11-25Updated: 2025-11-25Version: 1

#pre-submit-capture#form-grabbing#autofill#high#zoominfo

Permanent URL: deployblackout.com/bti/BTI-2025-0002