3 min read

Most-popular websites use "keylogger-as-a-service" for analytics, researchers find

Filip TRUȚĂ

November 23, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Most-popular websites use "keylogger-as-a-service" for analytics, researchers find

Third-party scripts on hundreds of popular websites have been extracting personal information from visitors in “increasingly intrusive ways,” according to researchers at Princeton University.

Steven Englehardt, Gunes Acar and Arvind Narayanan, the authors of the research, have published a report documenting the surprisingly invasive nature of “session replay” scripts employed by hundreds of the world”s most-popular websites. The team”s findings are presented in the first installment of a series called “No Boundaries.”

The scripts in question record everything from keystrokes to mouse movements to scrolling behavior in relation to the contents of the pages you visit. That data is then sent to third-party servers, the team says.

In other words, major websites rely on what could be described as “keylogger-as-a-service” for analytics.

“Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder,” according to the trio.

For this study, the team analyzed seven of the top session replay services available today, including Yandex, FullStory, Hotjar and UserReplay. After a lot of digging around, the Princeton researchers found 482 websites (of the Alexa top 50,000) using these services.

To be clear, these data collection services, and others like them, serve a legitimate purpose – gathering analytics to improve a website, or the products and services advertised or sold through that website. However, based on their findings, Princeton researchers conclude that “the extent of data collected by these services far exceeds user expectations.”

For instance, text typed into forms is sometimes collected and sent to third-party servers before the user can even submit the form. The data also gets sent even if the user decides to forfeit the session.

Session replay scripts are said to be forbidden from recording keystrokes when the user inputs their password in a password field. But say you type your password in the wrong field by mistake. We”ve all done it at least once in our lives.

Precise mouse movements are saved too.

“This data can”t reasonably be expected to be kept anonymous,” reads the report. “In fact, some companies allow publishers to explicitly link recordings to a user”s real identity.”

Depending on the purpose of your visit to the websites, the danger levels vary. Merely browsing through an online fashion store may not pose a tremendous risk to your security. But collection of page content from a clinic”s online portal, for example, may translate to leaked medical conditions, credit card details and other personal information.

“This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes,” the team writes.

Any service managing or storing vast clusters of customer data makes an attractive target to hackers. And according to the report, session relay services aren”t exactly bulletproof.

In addition to passwords included in some session recordings, sensitive user inputs are redacted in a “fundamentally insecure” ways. Recording services are inherently setting themselves up for failure to protect user data.

The dashboards for some of the session relay services deliver playbacks within an HTTP page. This is the case even when recordings take place on a secured HTTPS website.

A list of websites that use third-party session replay scripts can be found here.

Motherboard has obtained statements from a few of the websites targeted. While some have decided to stop using session replay scripts to reevaluate their protocols, others have been dismissive of the research, claiming that, despite making use of such services, the organization greatly values the security of its users.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits
Silviu STAHIE

January 31, 2023

1 min read
Hackers steal 10 million customer details from JD Sports Hackers steal 10 million customer details from JD Sports
Graham CLULEY

January 30, 2023

2 min read
North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022 North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022
Silviu STAHIE

January 25, 2023

1 min read