It is a widely known fact that a majority of websites keep a record of the number of visits and the pages accessed by visitors. This is how websites conduct their marketing and promotional campaigns as you will notice that whatever product you checked out at a website, the next day you will see ads related to the same category of product on your browser. This is called monitoring your online activities, and websites use Session Replay scripts to perform the monitoring.
To monitor your online activity, hidden strings of data are used to log everything such as whatever you type and movement of your mouse, etc. However, the latest study from Princeton University researchers reveals that this is a risky practice because third parties can easily obtain sensitive data like medical complaints or credit card details and expose users to all sorts of scams including identity theft.
In fact, researchers have created a searchable list of the websites that they studied for the research. Almost all websites including Adobe, Godaddy, Skype, Samsung, Spotify, Microsoft, Rotten Tomatoes and WordPress were found to be using the Session Replay script. For their study, researchers analyzed around 50,000 top websites and identified that 482 of them were using sessions replay scripts.
The findings are documented in the Web Transparency and Accountability Project from the university while three researchers from the university Englehardt, Gunes Acar, and Arvind Narayanan collaborated for the study that is part of a series titled No Boundaries. This project is specially developed to assess websites and services regarding the way they record and use user data.
It was learned that websites record everything from keystrokes, scrolling behaviors, mouse movements and the content of pages visited and the data is sent to third-party servers. The reason why this recording of data is risky for users is that it is difficult to keep it anonymous and therefore, users are exposed to a variety of online scams.
Researchers from Princeton University’s Center for Information Technology Policy participated in the research. In a blog post, Steven Englehardt, a Ph.D. student at Princeton University, revealed that session replay scripts are different from the regular analytics services because these don’t provide aggregate stats but “record and playback individual browsing sessions,” which is no less than eavesdropping. Since third-party replay scripts collect the content, therefore, it is risky for users. It is much more invasive than what we might assume.
Session replay scripts are bits of code that not just offer general aggregate stats but also record everything about browsing sessions of every single visitor. These scripts don’t run on every page of a website but are strategically placed on pages where users are most likely to enter sensitive, personal information such as passwords. A video was posted by the researchers to demonstrate how session play script records data.
Seven most popular session replay script companies were analyzed by the researchers namely FullStory, SessionCam, Clicktale, Smart look, UserReplay, Hotjar, and Yandex. Test pages were created, and session replay scripts from six of these seven firms were installed, and further probe revealed that at least one of these scripts is used by 482 of the top 50,000 websites.
Researchers noted that these companies might be vulnerable to targeted hack attacks since these are high-value targets. Such as, Yandex, Smart look and Hotjar dashboards run non-encrypted HTTP pages instead of using encrypted HTTP pages, which are more secure. This can allow attackers to launch man-in-the-middle attack to inject script into the playback page and obtain all the recorded data.