Session-replay scripts used by leading websites are helping them view what users type and how they browse through such sites, but such recordings may land sensitive user data in the hands of malicious third parties, warn researchers at Princeton University.
As many as 482 popular websites are using session-replay scripts from third party vendors to record mouse movements and what users type on their keyboards.
The revelation by researchers at Princeton University is significant in many ways. For instance, let’s consider you visit a new e-commerce website, find an amazing deal for a new product, decide that you are going to buy it, go to the check-out page and type in your delivery address and credit card details, but decide at the last moment that you’ll buy it later and save your money for other things.
Even though you didn’t save your credit card details on the website or share any other personal details, unbeknownst to you, the damage has already been done. The website used session-replay scripts from a third party vendor, thanks to which it can now view recordings of your activities from the time you visited it.
‘These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder,’ the researchers said.
As such, these recordings contain everything you typed on the website, including passwords, credit card numbers and everything else. According to the researchers, such session-replay scripts are used to gather insights into how users interact with websites and are far more detailed compared to analytics services that provide aggregate statistics.
Even though the way such scripts work falls in the category of data collection, website visitors are unaware of such scripts, nor do websites warn them about their activities being recorded in advance. The researchers added that session-replay scripts offered by top vendors like Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam are presently being used by 482 of the Alexa top 50,000 sites.
‘Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes,’ they warned.
Even though website publishers are given manual and automatic redaction tools to ensure that sensitive information are kept out of such recordings, the process is incredibly complex as such publishers will need to diligently check and scrub all pages which display or accept information for every visitor.
As far as passwords are concerned, while session-replay scripts are configured to automatically excluding password input fields from recordings, mobile-friendly login boxes that use text inputs to store unmasked passwords are not protected by the rule, thereby revealing such passwords.
At the same time, the researchers also found that session-replay scripts from FullStory, Hotjar, Yandex and Smartlook do not mask names, e-mails, phone numbers, addresses, SSNs and dates of birth. Worryingly, scripts from Yandex do not mask credit card numbers, CVV codes and expiry dates at all.
Instead of providing automated redaction of displayed content by default, session-replay script vendors expect sites to manually label all personally identifying information included in a rendered page. Also, rather than working with web app developers to iteratively scrub personally identifying information from recordings which may be unique for different sites, script vendors offer their services on a plug-and-play basis.
To make it worse for users, two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts, thereby rendering website visitors completely vulnerable to information leakage.
‘Improving user experience is a critical task for publishers. However it shouldn’t come at the expense of user privacy,’ the researchers concluded.
Following the revelation by researchers at Princeton University, Smartlook told TEISS that it has made several changes to its masking guidelines to ensure that the loopholes highlighted by the researchers no longer exist.
‘We’re now completely running on HTTPS, and we’ve changed our password masking to hide password field input lengths. You can read more about it and our stance on user privacy in our official statement on the subject: https://www.smartlook.com/blog/smartlook-protect-user-privacy/,’ sais a Smartlook representative.