IdentityMatrix
IdentityMatrix HEM Extractor - Browser Storage Scanning for Email Identifiers
IdentityMatrix's tracking script contains an extractHems() function that scans all browser storage (cookies, localStorage, sessionStorage) looking for email addresses and email hashes. Found values are transmitted for cross-reference against identity graphs for visitor de-anonymization.
This advisory exists to warn companies running IdentityMatrix on their sites. We do not notify vendors. We do not provide remediation windows. If you're using this vendor, this is your evidence.
- IdentityMatrix's own website
- Various B2B technology companies
If You're Running IdentityMatrix
Remove IdentityMatrix script if deployed
Effort: trivialAudit scripts for storage enumeration patterns
Effort: moderateImplement storage access policies via CSP
Effort: significantWhat It Costs You
CAC Subsidization
Visitor data captured on a site can flow into data broker networks and identity graphs, eventually surfacing in competitor prospecting tools. The original company paid to acquire the traffic; competitors pay pennies to intercept the lead.
Signal Corruption
Overlapping tracking mechanisms corrupt attribution data. Multiple sources claim credit for single conversions. Pipeline metrics diverge from reality. Marketing decisions get made on numbers that can’t be trusted.
Legal Tail Risk
Pre-consent data collection, undisclosed data sharing, and consent signal violations create regulatory exposure. Class actions and regulatory fines can exceed entire annual marketing budgets. Liability sits with the site owner, not the vendor.
GTM Attack Surface
Third-party scripts execute with full privileges on every page load. Dangerous code patterns, external dependencies, and data interception turn marketing infrastructure into attack vectors. One compromised dependency compromises the entire site.
BTI-C: Behavioral Codes
Attack Parallel: Cookie Stealers
Traditional cookie stealers enumerate document.cookie to exfiltrate session tokens and authentication data. HEM extractors use the same technique but extend it to localStorage and sessionStorage, searching for identity markers that enable cross-site tracking. The only difference: cookie stealers are called malware, HEM extractors are called "identity resolution" and sold as B2B SaaS.
ReferenceBTSS Score Breakdown
Technical Evidence
Code Evidence
extractHems() function - scans all browser storage
function extractHems() {
var found = []; var seen = new Set();
var md5Regex = /^[a-f0-9]{32}$/i;
var sha256Regex = /^[a-f0-9]{64}$/i;
var emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
// Scans cookies
document.cookie.split(";").forEach(function(cookie) {
var parts = cookie.trim().split("=");
var key = parts[0];
var value = parts[1];
if (key && value) { addHem("cookie", key, value); }
});
// Scans localStorage
for (var key in localStorage) {
if (localStorage.hasOwnProperty(key)) {
var value = localStorage[key];
if (value) addHem("localStorage", key, value);
}
}
// Scans sessionStorage
for (var key in sessionStorage) {
if (sessionStorage.hasOwnProperty(key)) {
var value = sessionStorage[key];
if (value) addHem("sessionStorage", key, value);
}
}
VISIT_DATA.hem = found;
}
VISIT_DATA structure - all collected visitor data
var VISIT_DATA = {
id: getTrackingID(),
pixelId: null,
sessionId: getSessionID(),
domain: window.location.hostname,
path: window.location.pathname,
search: window.location.search,
dateVisit: new Date().toISOString(),
userAgent: navigator.userAgent,
referrer: getCookie("im_session_referrer"),
pageTitle: document.title,
formData: null,
hem: [], // Hashed Email extraction results go here
timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
screenSize: window.screen.width + "x" + window.screen.height,
viewportSize: window.innerWidth + "x" + window.innerHeight,
language: navigator.language,
idleTime: 0,
clickEvents: [],
mousePath: []
};
Network Evidence
https://api.identitymatrix.ai/track{"hem": [...], "sessionId": "...", ...}Visitor data including extracted HEMs transmitted to API
https://f2f-server-prod-*.herokuapp.com/visitors/Face2Face.io integration - note 'stalking' terminology in data model
Evidence Package
Reproduction Steps
## Reproduction Steps 1. **Visit** https://www.identitymatrix.ai/ 2. **Open DevTools** → Sources tab 3. **Find** trackingScript.js in the source tree 4. **Search** for "extractHems" or "localStorage" 5. **Observe** the storage enumeration code ## Alternative: Network Analysis 1. **Open DevTools** → Network tab 2. **Visit** https://www.identitymatrix.ai/ 3. **Search** for requests to api.identitymatrix.ai 4. **Inspect** request payloads for "hem" field
Legal Touchpoints
Purpose limitation - data must be collected for specified purposes. Scanning all storage to find any email is not a specified purpose, it's a fishing expedition.
Data minimization - scanning ALL storage keys violates minimization. A legitimate script would access specific, known keys only.
Accessing information stored on user's terminal equipment requires consent. Enumerating all storage is accessing stored information.
Sensitive PI (which may be found in storage) requires opt-in consent. HEM extraction is opt-out at best, and often has no notice at all.
Citation Templates
“Vendor shall not engage in behaviors classified under BTI-2025-0003 (IdentityMatrix), including BTI-C03 (Storage Exfiltration).”“BTI Advisory BTI-2025-0003 documents IdentityMatrix engaging in Storage Exfiltration (BTSS 7.8, HIGH).”“We have identified IdentityMatrix as exhibiting Storage Exfiltration behavior per BTI Advisory BTI-2025-0003. Full details: deployblackout.com/bti/BTI-2025-0003”