No, you’re not being paranoid. Sites really are watching your every move

oneeye

Level 4
Thread author
Verified
Jul 14, 2014
174
I missed this last month, because I don't frequent Ars Technica, Motherboard, or Wired. Scary stuff here.

"
If you have the uncomfortable sense someone is looking over your shoulder as you surf the Web, you're not being paranoid. A new study finds hundreds of sites—including microsoft.com, adobe.com, and godaddy.com—employ scripts that record visitors' keystrokes, mouse movements, and scrolling behavior in real time, even before the input is submitted or is later deleted.

Session replay scripts are provided by third-party analytics services that are designed to help site operators better understand how visitors interact with their Web properties and identify specific pages that are confusing or broken. As their name implies, the scripts allow the operators to re-enact individual browsing sessions. Each click, input, and scroll can be recorded and later played back.

A study published last week reported that 482 of the 50,000 most trafficked websites employ such scripts, usually with no clear disclosure. It's not always easy to detect sites that employ such scripts. The actual number is almost certainly much higher, particularly among sites outside the top 50,000 that were studied.

"Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording," Steven Englehardt, a PhD candidate at Princeton University, wrote. "This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes."

Englehardt installed replay scripts from six of the most widely used services and found they all exposed visitors' private moments to varying degrees. During the process of creating an account, for instance, the scripts logged at least partial input typed into various fields. Scripts from FullStory, Hotjar, Yandex, and Smartlook were the most intrusive because, by default, they recorded all input typed into fields for names, e-mail addresses, phone numbers, addresses, Social Security numbers, and dates of birth.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Do these fall under the category trackers that can be blocked with something like ghostery or ublock origin?
They do but currently both extensions are failing to detect the majority. I'm sure now the practice is being put in the spotlight Cliqz (Ghostery's owner) and the EasyPrivacy community will be all over them (assuming said trackers are detectable).
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Session replay scripts are provided by third-party analytics services
That is actually good, blocking third-party script should take care of it, unless it breaks the webpage.
I was really really trying to avoid using noscript/scriptsafe or similar, but I guess the time has come.
 

Attachments

  • capture_11212017_192212.jpg
    capture_11212017_192212.jpg
    170.7 KB · Views: 362
  • capture_11212017_192433.jpg
    capture_11212017_192433.jpg
    135.6 KB · Views: 390
  • capture_11212017_193106.jpg
    capture_11212017_193106.jpg
    198.2 KB · Views: 389

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
Thanks @oneeye, i was only reading this today although the article i read didn't mention any applications or sites etc that did it, nothing online is safe from anything or anyone.


Very scary reading, Thanks for sharing(that is what VPN is for):ROFLMAO::cool:

I think i will need to use my vpn a lot more now.

That is actually good, blocking third-party script should take care of it, unless it breaks the webpage.
I was really really trying to avoid using noscript/scriptsafe or similar, but I guess the time has come.

Me too, i feel i have too many extensions but i guess another one won't hurt will it especially if helps to protect us in some way.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Me too, i feel i have too many extensions but i guess another one won't hurt will it especially if helps to protect us in some way.
I am actually surprised, what all it blocks: canvas, webrtc, malware domains, youtube ads. I can remove several and replace just with this one. :)

The canvas options are great: people were discussing which is better: unique, random or none. This lets you to choose from all.
 

Attachments

  • capture_11212017_195543.jpg
    capture_11212017_195543.jpg
    290.3 KB · Views: 379
  • capture_11212017_211105.jpg
    capture_11212017_211105.jpg
    255.1 KB · Views: 336
Last edited:

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
I was really really trying to avoid using noscript/scriptsafe or similar, but I guess the time has come.
Could use uBO's 3rd-party script blocking. On broken sites just individually allow domains using local noop rules until the site is usable. (Remember to re-block any domains that don't contribute to making the site usable.)
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Remember to re-block any domains that don't contribute to making the site usable.
Not an easy task, sometimes it is a combinations a few, plus hard to find a proper webpage like apis.google.com required to comment on some pages or amazonaws.com to download from sourceforge, seems unrelated. But the pay off is a way faster browsing. I do not even need adguard anymore.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Not an easy task, sometimes it is a combinations a few, plus hard to find a proper webpage like apis.google.com required to comment on some pages or amazonaws.com to download from sourceforge, seems unrelated. But the pay off is a way faster browsing. I do not even need adguard anymore.
It's a pain in the ass when first starting out but once you've built up rulesets for hundreds of websites it's really nice knowing there's no unnecessary bloat loading.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
OK, found something to block some session-replay scripts

Data release: list of websites that have third-party “session replay” scripts

Site list

According to the below article

No boundaries: Exfiltration of personal data by session-replay scripts

Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

But they are now blocked!!

A: https://www3.lenovo.com/de/de/ · easylist/easylist@e559d9c · GitHub
A: http://www.plowhearth.com/favorite-gifts.htm · easylist/easylist@0f9e24d · GitHub
A: https://www.pitneybowes.com/us/shipping-and-mailing/postage-meters… · easylist/easylist@7161793 · GitHub


:)

 
Last edited:

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
Also available for Opera! Thanks for the tip TairikuOkami.(y)

Opera : ScriptSafe

Chrome : ScriptSafe

Thanks for the links @upnorth but can i ask, if these extensions safe to download from the chrome store (just because of all the talk recently of unsafe apps on the chrome store) i am not clever enough to know if they are genuine and are they user friendly for dummies like me ? :unsure:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top