OVER 400 of the world’s top 50,000 websites track users online behaviour using ‘session replay scripts’, researchers at Princeton’s Center for Information Technology Policy (CITP) have claimed.
Three CITP researchers who go by the name of Steve Englehart, Gunes Acar, and Arvind Narayansaid unveiled their findings in a blog post as part of a series of three reports named “No Boundaries”, where they reveal how third-party scripts on websites have been extracting personal information.
In the first post, released on Tuesday, details how the researchers looked at seven of the top session replay companies, which provide session replay scripts and frameworks to websites. These were Clicktale, FullStory, Hotjar, SessionCam, Smartlook, UserReplay, and Yandex.
The idea was to scrutinise what data was collected and how the collection took place. The researchers therefore set up test pages with session replay scripts from the six companies above, where they were able to estimate the number of popular sites that use such scripts.
They found that these services in use on 482 of the Alexa top 50,000 sites.
While some companies that sell replay scripts do offer a number of redaction tools that allow websites to exclude sensitive content from recordings, the use of session replay scripts by a sufficient number of the world’s popular websites could lead to serious privacy implications, the CITP researchers warned.
“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording,” the CITP researchers.
“This may expose users to identity theft, online scams, and other unwanted behaviour. The same is true for the collection of user inputs during checkout and registration processes.”
The researchers said there are four main vulnerabilities that could arise. The first is passwords, as they are included in session recordings.
“All of the services studied attempt to prevent password leaks by automatically excluding password input fields from recordings. However, mobile-friendly login boxes that use text inputs to store unmasked passwords are not redacted by this rule, unless the publisher manually adds redaction tags to exclude them,” the researchers added.
“We found at least one website where the password entered into a registration form leaked to SessionCam, even if the form is never submitted.”
The second vulnerability is “sensitive user inputs”, which are redacted in a partial and imperfect way.
As users interact with a site they will provide sensitive data during account creation, while making a purchase, or while searching the site. Session recording scripts can use keystroke or input element loggers to collect this data.
The third vulnerability is “manual redaction of personally identifying information”, which is displayed on a page, making it “a fundamentally insecure model”.
In addition to collecting user inputs, the session recording companies also collect rendered page content, the researchers explained. And unlike user input recording, none of the companies appeared to provide automated redaction of displayed content by default, so all displayed content in the tests ended up leaking.
The last potential vulnerability found by the researchers is the failing of recording services to protect user data.
“Recording services increase the exposure to data breaches, as personal data will inevitably end up in recordings. These services must handle recording data with the same security practices with which a publisher would be expected to handle user data,” said the researcher’s post.
We will be contacting the session replay companies for statement regarding the researchers’ claims. µ
Shortly after this article was published, SessionCam contacted The INQUIRER to inform us that this article was “highly inaccurate and defamatory” and demanded that it “would need be corrected immediately, with a prominent correction, or we will have to take advice from our legal representatives”.
After reminding SessionCam that we weren’t the ones that making the “highly defamatory claim”, we are – out of balanced reporting – more than happy to publish its response, without need of any subtle threat of legal action. So here it is, grabbed afresh from email. Enjoy!
Source : Inquirer