Several popular websites use scripts to record visitor activity

Cal Jeffrey

Cal Jeffrey

Posts: 4,452   +1,586
Staff member

Most of us have come to accept that some of our information is going to be tracked when using the Internet. We have gotten used to seeing ads for those watches we were looking at on Amazon weeks ago showing up on Facebook. Most people do not even bother reading privacy policies anymore but that does not mean it is no longer important to know what kind of information is being tracked and how it is being collected.

Researchers at Princeton University’s Center for Information Technology Policy (CITP) have discovered that more of your information is being tracked than you might know. Their study has uncovered that several popular websites are using scripts that log every keystroke and mouse click and save recordings of them to third-party servers. Even if you cancel or abandon the web form, everything you typed is still recorded and saved.

The keylogging software, called “session replay scripts,” is being openly used by multiple sites. The scripts are usually employed by third-party providers such as FullStory, SessionCam, Clicktale, SmartLook, UserReplay, Hotjar and Yandex. Administrators can pull up any recorded session and play it back like a video.

According to lead researcher Steve Englehardt, most people do not even realize they are being tracked in this manner since session replay disclosures are buried “deep into the privacy policy.”

“I’m just happy that users will be made aware of it,” Englehardt told Motherboard in a telephone interview.

Englehardt and his colleagues, Gunes Acar and Arvind Narayanan, studied six of the seven session replay providers mentioned above and found that software from one company was being used on 482 of the top 50,000 sites (as ranked by Alexa). Of the nearly 500 listed websites, there are several well-known names including WordPress, Microsoft, Spotify, Xfinity and Walgreens.

Upon being presented with the research, Walgreens issued a statement.

“We take the protection of our customers’ data very seriously and are investigating the claims made in the study that was published yesterday. As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory.”

Bonobos, another company identified in the list, told Wired that they have also stopped sharing data with FullStory. “We are continually assessing and strengthening systems and processes in order to protect our customers’ data,” the spokesperson said.

“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording,” warn the researchers. It is also possible for passwords to be revealed despite the fact that the software is supposed to redact them.


Summary of the automated redaction features for form inputs enabled by default from each company.
Filled circle: Data is excluded; Half-filled circle: equivalent length masking; Empty circle: Data is sent in the clear.
* UserReplay sends the last four digits of the credit card field in plain text.
† Hotjar masks the street address portion of the address field.

There are tools included with the session replay scripts that can be used to redact sensitive information but in testing the software, CITP found that some data is only partially redacted or not removed at all. On Walgreens' website, for instance, data such as medical conditions, prescriptions and users’ real names were being collected despite having redaction protocols in place.

Regardless of how trustworthy companies like FullStory and the others may or may not be, the researchers see a concern with those firms being targets for malicious attacks. They point to Yandex, Hotjar and SmartLook as examples which operate session replay dashboards on unencrypted HTTP rather than secure HTTPS pages.

Thanks to the team’s research, session replay providers are reviewing their practices as well. Yandex and SmartLook are already looking into ways to improve the security of their dashboards.

Kevin Goodings, CEO of SessionCam, stated, "Everyone at SessionCam can get behind the CITP’s conclusion: ‘Improving user experience is a critical task for publishers. However, it shouldn’t come at the expense of user privacy.’ The whole team at SessionCam lives these values every day. The privacy of your website visitors and the security of your data is of paramount importance to us.”

If you would like to see the 482 websites that are confirmed to be using session replay scripts, the list is published on Princeton’s Web Transparency website.

Image and video courtesy Princeton University

Permalink to story.

https://www.techspot.com/news/71985-nearly-500-world-most-frequented-websites-use-scripts.html

 
Upon being presented with the research, Walgreens issued a statement.

“We take the protection of our customers’ data very seriously and are investigating the claims made in the study that was published yesterday. As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory.”
Click to expand...

Translation = We were selling your data but since you found out we'll stop now.
 
  • Like
Reactions: Reehahs, senketsu, Kenrick and 3 others
Anyone who isn't using a top-tier security package and either TOR or a decent commercial VPN is asking for trouble. The antivirus guys need to start getting really aggressive about blacklisting sites that engage in this kind of dangerous spying. I figured that remote keylogging was being used on a lot of sites and so I always tried to NEVER type something in a web form unless I was comfortable with the site admins reading it. But I guess I should've realized it would be used for more than that. It blows my mind is people who buy *internet-connected* "smart" junk with mics and cameras for their homes. Whatever happened to common sense?
 
Last edited:
psycros said:
Anyone who isn't using a top-tier security package and either TOR or a decent commercial VPN is asking for trouble. The antivirus guys need to start getting really aggressive about blacklisting sites that engage in this kind of dangerous spying. I figured that remote keylogging was being used on a lot of sites and so I always tried to NEVER type something in a web form unless I was comfortable with the site admins reading it. But I guess I should've realized it would be used for more than that. It blows my mind is people who buy *internet-connected* "smart" junk with mics and cameras for their homes. Whatever happened to common sense?
Click to expand...

I would say yes to the VPN but those internet protection suites don't really do anything you can't do yourself. Script blocking, Firewall, and ad-blocking can all be found free elsewhere.
 
psycros said:
Anyone who isn't using a top-tier security package and either TOR or a decent commercial VPN is asking for trouble. The antivirus guys need to start getting really aggressive about blacklisting sites that engage in this kind of dangerous spying. I figured that remote keylogging was being used on a lot of sites and so I always tried to NEVER type something in a web form unless I was comfortable with the site admins reading it. But I guess I should've realized it would be used for more than that. It blows my mind is people who buy *internet-connected* "smart" junk with mics and cameras for their homes. Whatever happened to common sense?
Click to expand...

I'm afraid the antivirus companies do more or less the same - live of selling your data. It's all in their TOSes and policies...
 
Evernessince said:
psycros said:
Anyone who isn't using a top-tier security package and either TOR or a decent commercial VPN is asking for trouble. The antivirus guys need to start getting really aggressive about blacklisting sites that engage in this kind of dangerous spying. I figured that remote keylogging was being used on a lot of sites and so I always tried to NEVER type something in a web form unless I was comfortable with the site admins reading it. But I guess I should've realized it would be used for more than that. It blows my mind is people who buy *internet-connected* "smart" junk with mics and cameras for their homes. Whatever happened to common sense?
Click to expand...

I would say yes to the VPN but those internet protection suites don't really do anything you can't do yourself. Script blocking, Firewall, and ad-blocking can all be found free elsewhere.
Click to expand...

And just like death and taxes, here comes the "you don't need antivirus" guy. Pretending malware doesn't exist won't make it go away no matter how much you want it to. Grow up.
 
Well- - Back in the early 2000's I was asked to implement a Replay system from a website monitoring system (so there would not be any thing like keylogging). I ranted and raved on the ethics and legal liability of accessing / replaying the user experience. I was fortunate to get away with taking the high ground and kept my job. Just think, I could have been the ancestor to Julian Assange (wikileaks)
 
psycros said:
And just like death and taxes, here comes the "you don't need antivirus" guy. Pretending malware doesn't exist won't make it go away no matter how much you want it to. Grow up.
Click to expand...

Grow up? As in actually avoiding shady websites and practicing computer common sense? 99% of viruses are contracted by the user. I haven't had a virus in over 10 years. If you are in need of protection you are either doing something shady, ignorant of computers in general, or going to websites you know aren't secure. I know well not to click that fake download button but the question is: Do you? Here you are defending software which is designed for the average person who doesn't know better. You are on a tech website, big surprise people here are smart enough to know how not to get malware.

I'm less like the "don't need anti-virus guy" and more like the "uses common sense guy". But yeah, I do use Maleware bytes in single scan mode once in awhile and guess what? It never finds anything. Good thing too, cuz what a waste of resources it would be to run it all the time.
 
Big brother already watching you
Now little brother(s) are also trying to watch you

What in the world is this game? Do they sincerely think 1984 was a manual book?
 
  • Like
Reactions: regiq
So, what are you trying to tell us? Are you suggesting we avoid these sites?
(Avon, CBS, Chevrolet, RedHat, Nintendo, Microsoft, Skype, T-Mobile, etc.)
 
BobHome said:
So, what are you trying to tell us? Are you suggesting we avoid these sites?
(Avon, CBS, Chevrolet, RedHat, Nintendo, Microsoft, Skype, T-Mobile, etc.)
Click to expand...
There are quite a few things we can do to try to change this ill situation:
Read the terms of services and other company policies and make conscious choices of services that we use;
Promote services that don't share (or - better - gather) your data and REALLY respect your privacy (mostly the ones which business model does not rely on user profiling - we should be able to pay for that);
Block tracking scripts and domains in browsers, routers, devices, so it's not profitable to the companies;
Inform friends about that practices to increase awareness of the problem;
Put some pressure on the legislators - in the end only the law could make it stop;
Remember: demand creates supply.
 
You must log in or register to reply here.

Similar threads

Cal Jeffrey
Watch this electric car demolish a 20-year-old F1 lap record and drive upside down
Replies
15
Views
165
Q Wales
Q Wales
Cal Jeffrey
Microsoft relaunches Recall on Copilot+ Windows PCs after privacy overhaul
Replies
16
Views
126
saRDdine
S
S
Logitech quietly raises prices on popular PC accessories by up to 25% after tariffs
Replies
17
Views
147
Axeia
Axeia

Latest posts

Back