The web payment system 'Stripe' records all user movements on the website and sends them to Stripe.



Many companies and developers use the web payment system '

Stripe ' because they can introduce a payment system simply by pasting the source code into apps and programs. Security can be said to be the most important thing for payment systems, but when software engineer Michael Lynch used Stripe, Stripe's official JavaScript library (Stripe.js) records all user actions on the website and Stripe It was discovered that it was secretly sending to my server.

Stripe is Silently Recording Your Movements On its Customers' Websites · mtlynch.io
https://mtlynch.io/stripe-recording-its-customers/



The following three data are recorded by Stripe.js and sent to Stripe.

1: All pages visited by the user, including web pages that do not display Stripe's payment form
2: A record of how the user moved the cursor on the website
3: An identifier that connects the website to the person who visited the website

Lynch noticed Stripe.js in action because he was using an HTTP proxy to detect HTTP traffic from the browser when adding a paid plan to the product. After implementing a web app payment flow using Stripe, all page navigation was generating a new POST request to Stripe's URL. Lynch's web app doesn't collect payment information until the user creates an account, but Stripe.js was making an HTTP request when a new user opened the web app home.

Lynch first thought that he might have made some mistakes when implementing Stripe. However, when I searched Google the POST request sent from the web application to find out what was wrong, there were several developers reporting the same situation, and I found that it existed back to 2017. It was



In a thread set up on Github, a Stripe employee

commented , 'This is unintended behavior and we will fix it .'



After confirming that the app was okay, Lynch reported the issue to Stripe support and asked how he could prevent this behavior. Immediately after that, I received a reply saying 'User tracking is by design and I want you to accept the function.' The actual email was as follows.

Hi Michael,

Thanks for getting in touch. Faith here from Stripe support.

Jumping right in, the calls being seen are by design in order to detect fraud and is in the best interests of the user.According to the docs: “To best leverage Stripe's advanced fraud functionality, include this script on every page, not just the checkout page. This allows Stripe to detect anomalous behavior that may be indicative of fraud as customers browse your website. ”

https://stripe.com/docs/js/including

Please let us know should you run into any other issues or have any other concerns.

All the best,
Faith



(Hi, Michael

thank you for contacting me. Faith, Stripe's support, answers.

Once you get into the main subject, what you have reported is a scam-finding specification that is in the best interest of the user. The spec says, 'To get Stripe's advanced scam protection to work at its maximum, include this script on every page, not just on the checkout page. This allows Stripe to browse your website. It is possible to detect abnormal behaviors that can occur while you are doing it. '

https://stripe.com/docs/js/including

(Please contact me if you have any other issues or concerns)

In response to this reply, Lynch said, 'It's in the' best interest for the user ', but it is clearly Stripe that is making a profit', and Stripe uses a fraud detection model for free using the data sent. It also points out the possibility of training and the possibility of selling the data to the advertiser. Stripe has not officially disclosed any information on this issue.

This issue became a hot topic on Y Combinator's bulletin board 'Hacker News' investing in startup companies, disclosure of data collection under the California Online Privacy Protection Act (CalOPPA), implementation of opt-out method, customer collection. It was pointed out that we needed a way to inspect the data.

Stripe records user movements on its customers' websites | Hacker News
https://news.ycombinator.com/item?id=22936818



On the other hand, in the thread, a person calling himself 'Stripe's co-founder' appeared and asserted that 'collected data has never been or will be sold or lent to advertisers'. Did. Stripe.js is a scam bot detection targeting businesses that use Stripe, and without Stripe.js companies that use Stripe will incur a lot of losses, the writer wrote. While it is said that you can not use Stripe.js if you do not want to use it, it also mentions cases where companies that do not use Stripe.js are the target of fraud attacks.

On the other hand, users who point out that Stripe's explanation is irrelevant as 'the question is not' whether or not data is collected as a fraud measure ', but' is data collection done in a legal and ethical way? ' I also have

in Web Service,   Security, Posted by darkhorse_log