Your Every Keystroke Recorded by Over 400 Top Websites.
Hundreds of homepages, including Microsoft, Adobe, Wordpress, Godaddy, Spotify, Skype, Samsung and Rotten Tomatoes, use secret code called session replay scripts, to monitor your online activity.
Hidden strings of data are used to record everything you do while visiting a page, including what you type and where you move your mouse.
This could be used by third parties to reveal everything from credit card details to medical complaints, as well as putting you at risk of identity theft and online scams, as well as other unwanted behavior.
The findings were made as part of Princeton Universitys Web Transparency and Accountability Project, which monitors websites and services to find out what user data companies collect, how they collect it, and what they do with it.
Researchers found that 482 of the top 50,000 websites by numbers of visitors use session replay scripts.
They are used to record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers.
The idea behind them is to let the owners of a website gather insights into how users interact with their pages, and to discover which are broken or are confusing to visitors.
But the Princeton team is concerned that keeping this data anonymous may prove difficult, exposing visitors to a number of dangers.
In a blog post revealing the findings, Steven Englehardt, a PhD candidate at Princeton, said: Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.
Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording.
The same is true for the collection of user inputs during checkout and registration processes.
The Princeton team says the replay services offer a combination of manual and automatic redaction tools that allow publishers to exclude sensitive information from session replay recordings.
They decided to test the redaction processes used by six companies that offer the service.
They set up test pages, as well as analysing live sites, to find out what kind of information may be accessible via the tools.
Mr Englehardt and his colleagues identified four main vulnerabilities resulting from the use of the scripts.
All of the services studied attempt to prevent password leaks by automatically excluding password input fields from recordings.
However, mobile-friendly login boxes that use text inputs to store unmasked passwords are not redacted by this rule, unless the publisher manually adds redaction tags to exclude them.
The research team found at least one website where the password entered into a registration form was visible in SessionCams software, one of the six services studied, even if the form was never submitted.
SessionCam has denied these claims.
Researchers also found that other sensitive user information may recorded by session replay scripts, including during account creation, while making a purchase, or while searching the site.
Princetons team noted that the scripts record the entire contents of a page as it is used. This is another avenue by which sensitive data could end up in the wrong hands. Finally, the way in which the data is recorded, accessed and stored leave users vulnerable to data breaches and leaks.
The team also created a searchable list of all the websites in their study that were found to contain scripts which could be used to record sessions, as well as those for which there was evidence of this taking place.
The list can be found here: https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html