Popular Websites Are Recording Your Every Move

[LASER_oneXM]

482 of the Alexa top 50,000 sites are recording their users' every moves, keystrokes and mouse movements included. This data is then sent to an analytics dashboard, not all times in a secure manner.

In the analytics business, such data is called a session replay. Experts argue that an attacker could intercept this data in transit, or steal it from unsecured analytics dashboards to review user input and extract sensitive information.

Nicknamed session-replay attacks, such scenarios are possible because analytics firms that provide user session recording services do not discriminate when it comes to the data they log.

Some sites record form data before the form is submitted

Researchers from Princeton University wrote in a report released last week that they found session recording providers that logged passwords, credit card details, phone numbers, SSNs, dates of birth, and other information.

Some analytics providers record this information before the user hits submit inside a form, and even after every keystroke or mouse movement.


Experts said that some of the most intrusive session tracking scripts are provided by services such as FullStory, Hotjar, Yandex, and Smartlook, which appeared to log everything the user did on a page.

Even if other analytics firms provided mechanisms so that site owners could exclude sensitive form fields from user tracking, errors and bad implementation still sent sensitive user data to analytics dashboards.

According to Princeton researchers, some of today's biggest companies engage in user session recording.

Researchers say they found user session recording scripts on sites such as Yandex, Microsoft, Adobe, GoDaddy, Spotify, WordPress, Reuters, Comcast, TMZ, and others. Most worrisome, some of the tracking scripts showed up in the web domains of IM and data sharing apps such as Skype and Evernote. A full list of all the 482 major websites caught using user session recording scripts is available here.

User session recording is not an insecure practice per-se, if done right. Website operators implement session recording whenever they want to know how site visitors interact with the site, UI elements, or promotions.

 

[Daljeet]

How session reply script works

https://www.ghacks.net/2017/11/24/how-to-protect-yourself-from-session-replay-tracking/
How to protect yourself from Session Replay tracking

 

[Prorootect]

Websites Are Recording Your Every Move - yes:

If you search, on Firefox (or Firefox forks, NOT on Chrome) by Bing, Yahoo! or DuckDuckGo (NOT by Google...), for a query from eg. MalwareTips thread title (eg. ContentBlockHelper stopped working ) - you have in the first place this result from "postthreads.org" :
with the title "Fix ContentBlockHelper stopped working"

"…postthreads.org/support/3932510/ContentBlockHelper-stopped-working... Oct 30, 2016 · I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level ..."
"ContentBlockHelper stopped working may be caused by a number of different reasons.
If you have ContentBlockHelper stopped working then we strongly recommend that you Download (ContentBlockHelper stopped working) Repair Tool.
This article contains information that shows you how to fix ContentBlockHelper stopped working both (manually) and (automatically) , In addition, this article will help you troubleshoot some common error messages related to ContentBlockHelper stopped working that you may receive.
Note: This article was updated on 2017-11-19 and previously published under WIKI_Q210794 ..."
...
"Run a scan with a program like Reimage to get a free PC report to see... "

__________________

- so this article above is meant to push you to download their shady malware tool!
Yes, surely shady website what is recording your every move!
(I'm able to safely look to this bad shady website - but never download their tool, please...).

On MT we have - it seems to me - about Reimage 'tool' this thread Reimage Plus pop-ups ..

.. so Google is more secure than Bing, Yahoo! and DDG, cause you don't get the shady results like this above.

 

[_CyberGhosT_]

Background
Site title Not Present Date first seen January 2017
Site rank 239458 Primary language Unknown
Description Not Present
Keywords Not Present
Network
Site http://postthreads.org Netblock Owner Cloudflare, Inc.
Domain postthreads.org Nameserver dana.ns.cloudflare.com
IP address 104.31.78.81 DNS admin dns@cloudflare.com
IPv6 address 2400:cb00:2048:1:0:0:681f:4f51 Reverse DNS unknown
Domain registrar pir.org Nameserver organisation unknown
Organisation Domains By Proxy, LLC, 14455 N. Hayden Road, Scottsdale, 85260, US Hosting company unknown
Top Level Domain Organization entities (.org) DNS Security Extensions unknown
Hosting country US
Hosting History

Netblock owner IP address OS Web server Last seen Refresh
Cloudflare, Inc. 101 Townsend Street San Francisco CA US 94107 104.31.78.81 Linux cloudflare-nginx 25-Nov-2017
Security

Netcraft Risk Rating [FAQ] 1/10

On Spamhaus Block List No On Exploits Block List No

On Policy Block List No On Domain Block List No
Sender Policy Framework
A host's Sender Policy Framework (SPF) describes who can send mail on its behalf. This is done by publishing an SPF record containing a series of rules. Each rule consists of a qualifier followed by a specification of which domains to apply this qualifier to. For more information please see openspf.org.
Warning: It appears that this host does not have an SPF record. Setting up an SPF record helps prevent the delivery of forged emails from your domain.
DMARC
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a mechanism for domain owners to indicate how mail purporting to originate from their domain should be authenticated. It builds on SPF and DKIM, providing a method to set policy and to give reporting of failures. For more information please see dmarc.org.
This host does not have a DMARC record.
Web Trackers
Web Trackers are third-party resources loaded onto a webpage. Trackable resources include social sharing widgets, javascript files, and images. These trackers can be used to monitor individual user behaviour across the web. Data derived from these trackers are primarily used for advertising or analytics purposes.
No known trackers were identified.
Site TechnologyFetched on 25th November 2017

• HTTP Accelerator
  A web accelerator is a proxy server that reduces web site access times.
  
  Technology Description Popular sites using this technology
  CloudFlare Content delivery network and distributed domain name server service www.phimmoi.net, www.mozilla.org, www.ampparit.com
• Content Delivery Network
  A content delivery network or content distribution network (CDN) is a large distributed system of servers deployed in multiple data centers in the Internet. The goal of a CDN is to serve content to end-users with high availability and high performance.
  
  Technology Description Popular sites using this technology
  CloudFlare Content delivery network and distributed domain name server service www.voirfilms.info, www.weatherzone.com.au, www.digitalocean.com
• HTTP Compression
  HTTP compression is a capability that can be built into web servers and web clients to make better use of available bandwidth, and provide greater transmission speeds between both.
  
  Technology Description Popular sites using this technology
  Gzip Content Encoding Gzip HTTP Compression protocol www.virustotal.com, wwwapps.ups.com, www.exploit-db.com

Copyright © Netcraft Ltd. 2017

Their score is not that bad, the red text is highlighting what they dont have active which causes the score they receive.
None of the results listed were malicious, just poorly configured to protect the visitor.
Search results via DuckDuckGo, which I proudly use.

 

[Prorootect]

- "unknown, not present, unknown"...


On ipaddress.com: Postthreads.org - Postthreads | Website

Postthreads.org Postthreads Website and Webhosting Information
We found that the organization hosting Postthreads.org is Cloudflare in United States.

A more detailed IP address report for Postthreads.org is below. At the time you pulled this report, the IP of Postthreads.org is 104.31.78.81. The context of Postthreads.org is "Postthreads" and could reflect the theme of the content available on the resource. More IP details of Postthreads.org are shown below along with a map location.

IP Address of Postthreads is 104.31.78.81
Hostname: postthreads.org
IP Address: 104.31.78.81
Organization: Cloudflare
ISP/Hosting: Cloudflare
Updated: 11/19/2017 01:49 AM
City: -
Country: United States
State: -
Timezone: -
Local Time: -
Map location for Postthreads.org | Postthreads

Postthreads.org Whois
Registrar GoDaddy.com, LLC
Whois Server whois.godaddy.com
Status clientDeleteProhibited
clientRenewProhibited
clientTransferProhibited
clientUpdateProhibited
autoRenewPeriod
Contact Email

Creation Date 11/17/2016
Updated Date 11/18/2017
Expiration Date 11/17/2018
Registrant Registration Private
Domains By Proxy, LLC
DomainsByProxy.com 14455 N. Hayden Road
Scottsdale, Arizona 85260
UNITED STATES
Telephone: 14806242599
Fax: 14806242598
Email:

Administrative Contact Registration Private
Domains By Proxy, LLC
DomainsByProxy.com 14455 N. Hayden Road
Scottsdale, Arizona 85260
UNITED STATES
Telephone: 14806242599
Fax: 14806242598
Email:

Technical Contact Registration Private
Domains By Proxy, LLC
DomainsByProxy.com 14455 N. Hayden Road
Scottsdale, Arizona 85260
UNITED STATES
Telephone: 14806242599
Fax: 14806242598
Email:

Nameservers DANA.NS.CLOUDFLARE.COM
DEAN.NS.CLOUDFLARE.COM
Postthreads.org Meta Tags
No data available
Postthreads.org Reverse IP | Websites on the same Webhosting
No data available

_____________________________

"No data available"

So it is verifiable, that cloudflare.com is hosting many malware websites, this problem has been known for many years.

This site seems to me to be not malicious ( wrote about on the post above), but its 'tool' is NOT good... shady, dangerous...

- then look on DDG results for http:// postthreads .org

 

[Prorootect]

I don't know what lies behind their tool, but I don't need to look for the "Fix ContentBlockHelper stopped working" with unknown for me "Reimage repair tool".
People had problems because of this 'tool' I think, so posted for help in MT.
Let's forget it then, no offense on my side, _CyberGhosT_

You wrote: 'Search results via DuckDuckGo, which I proudly use.' - very good, but DDG, Yahoo! and Bing results are sometimes polluted with links not too safe, I think...

Google has made a lot of effort in recent years to fight malware links, and this is clearly visible to me.
I use too Qwant: https://www.qwant.com/web and searx.me: searx.me good privacy search engines...

 

[_CyberGhosT_]

That's cool, if Google is your thing, have at it
I have no doubt the tool is shady, I was only commenting and expanding on the Netcraft tool and what I noticed.
I don't believe I addressed that tool at all in fact.
Thanks @LASER_oneXM for the educational post.

 

[Prorootect]

That's cool, if Google is your thing, have at it

Yes, cause efficient results.
And I'm not afraid of Google's privacy bugs, cause I have sufficient defenses...
but my best defense no longer works, I'm worried, maybe my ContentBlockHelper is hacked at home, in my PC??
No one complains about this problem, I'm more and more worried, as the days go by...

 

[oneeye]

I don't know about the rest of you, but I've been having issues with Searx.me, and DDG, Google, and even Start Page gives me better results. Now I think I'll try the one mentioned above Qwant.
I know Google has loads of information on me just from using Android over-the-top years, but I've hardened up as much as I can, and retain usefulness. After all, I use many of their apps. Gmail, Drive, YouTube etc., etc., etc. Just about every single one to be honest. Slowly though I've incorporated more replacements, which will take over eventually when I decide to use the nuclear option.

 

[Kubla]

How session reply script works

How to protect yourself from Session Replay tracking

FYI: If you use AdGuard you can enable the Easy Privacy list that article talks about in the AdGuard ad blocker filters list settings, it might even be enabled by default.

 

[HarborFront]

FYI: If you use AdGuard you can enable the Easy Privacy list that article talks about in the AdGuard ad blocker filters list settings, it might even be enabled by default.

If you have uBlock Origin you can block them

 

[HarborFront]

Yes, cause efficient results.
And I'm not afraid of Google's privacy bugs, cause I have sufficient defenses...
but my best defense no longer works, I'm worried, maybe my ContentBlockHelper is hacked at home, in my PC??
No one complains about this problem, I'm more and more worried, as the days go by...

You can troubleshoot by getting rid of ContentBlockHelper first. Rebuild your security defenses and make sure they work. Then reinstall ContentBlockHelper

If the problem reappears then the cause is ContentBlockHelper

 

[oneeye]

If you have uBlock Origin you can block them

On Android I use browsers with blocking, and over the entire device I use Blokada, which blocks many analytics, running in the background. It doesn't get everything, like YouTube ads, but mostly all. I think Adgaurd is a really strong product, but you'll pay a subscription for it. Blokada is free, open source, and one of the best I've used. uBlock origin is my favorite tool, and another open source project. I try to use as many Open Source App's as I can, like Keepass 2 for Android password manager. But, I'm getting off topic now.

 

[Prorootect]

You can troubleshoot by getting rid of ContentBlockHelper first. Rebuild your security defenses and make sure they work. Then reinstall ContentBlockHelper

If the problem reappears then the cause is ContentBlockHelper

Thank you HarborFront, my ContentBlockHelper problem is solved by our friend Tsiehshi , look on ContentBlockHelper stopped working! : Add-on - ContentBlockHelper stopped working!

Your advice is vey good, though. Thank you, HarborFront!