I use "session replay" script which over 400 famous sites can trace user's behavior perfectly

byDmitry Ratushny

There is no one who does not know that people using the Internet, search engines, ISPs, websites etc are tracking user's behavior. However, Princeton University newlyCenter for Information Technology PolicyAccording to the survey results released by researchers at the Information Technology Policy Center (CITP), a script called "Session / Replay" that can trace operations such as "What did the user click on?" On the website was posted on a major website , And it became clear that more deep information is being collected by third parties than people are thinking.

No boundaries: Exfiltration of personal data by session-replay scripts

Over 400 of the World's Most Popular Websites Record Your Every Keystroke, Princeton Researchers Find - Motherboard

In 2013, Facebook got criticized as it became clear that the user was collecting data on text input finally ended without pressing the "submit" button. However, such tracking behaviors are not limited to Facebook, and many websites and web services are going on. In some famous sites with a lot of traffic, researchers discovered that if the user entered data into the input form, the content would be recorded even if no data was sent. All the private documents which I carelessly copied and pasted are also grasped on the website side.

Facebook self-censorship: What happens to the posts you do not publish?

The tracking behavior as described above is "Session replay(Session · replay)What is made possible by a script called. In general, session replay is for understanding how users use websites, but it is also possible to completely record how the browser was operated. Researchers have announced that sessions and replays are not embedded in all pages, but they are also used in pages dealing with delicate personal information such as medical records and passwords.

You can see what session / replay is from the following movie. The operation performed by the browser on the left side is completely reproduced by the browser on the right side.

user replay fullstory demo - YouTube

Some methods of collecting personal information include "collecting personal information as a user anonymously"FullStorySession replay software offered by the company called company can tie actions on the Internet with individual users. FullStory does not respond to the interview of Motherboard.

Researchers surveyed revealed that among the 50,000 top websites in the world, FullStory,SessionCam,Clicktale,Smartlook,UserReplay,Hotjar,YandexThere were 482 websites that used seven sessions / replay software of the company. Among them, "mail order site"BonobosAnd "selling and operating investment trusts"Fidelity InvestmentsHowever, on the other hand, the website side does not record information of all users one by one, so in reality, the number of 482 cases may be underestimated. This is because when a researcher visits a website it may happen that the session / replay was inactive.

A list of 482 websites can be seen from the following. The names of major web services such as Microsoft, Skype, Spotify are listed. In addition, "Although the session replay script is embedded, there is a possibility that the developer has disabled the session recording function, and it is not necessarily the case that the website records the session," the researcher writes It is.

Site list

After research results are announced, several companies such as Bonobos announced that they will stop using the session / replay script.WIREDIn response to the interview, Bonobos "stopped sharing data with FullStory to assess protocols and operations, we often evaluate and enhance systems and processes to protect customer information," I talked.

"Collecting personal information such as medical records and credit card information through session replays provided by third parties may cause information leakage to third parties," researchers point out. Originally, information such as passwords is excluded from tracking targets, but it is likely that passwords are accidentally recorded as data. Depending on the company, all the contents entered by the user are excluded from the record, but there are some types of software which do not record the input contents partly, and accidentally the password information may leak inadvertently is.

Even if the input content is not recorded, information may be leaked from the contents displayed on the browser. When researchers actually tried, he says that he could pick up information such as user's name, medical condition, prescription, even on a website that uses FullStory's script and does not track input content.

byLudovic Toinel

Experts also pointed out the danger of hacking services that provide session replay software. The data gathered by the website administrator can be played back on the internet dashboard, but there are concerns that several companies' dashboards are unencrypted HTTP pages.

in the pastAbout half of the world famous sites 1000Has been informed of the user's behavior using some sort of tracking software has been announced, not only the session replay script, much more information than the user imagined crossed to others There is a possibility that it is. Researchers cited the use of AdBlock Plus as a way to escape tracking by session replay.

in Security, Posted by darkhorse_log