Being paranoid doesn't mean that you are not actually being followed. The truth of this catch phrase was once again confirmed by researchers at Princeton University. Experts have published a report according to which hundreds of sites that are among the 50,000 most visited resources according to Alexa, follow every step of their visitors, and often work as keyloggers.
Researchers have discovered on 482 sites special scripts (session replay scripts) provided to resource owners by third-party analytical services. Initially, these tools were designed to improve user experience, allow companies to get to know their users better and better adapt to their needs. However, such scripts essentially allow you to replay the entire user session, including every click, scroll, and keystroke. A complete list of sites spying on their users can be seen here .
Experts note that sites using such intrusive tracking methods almost never warn their visitors about this. Moreover, the real number of such sites should far exceed the several hundreds studied, since experts did not consider resources outside the top 50,000 at all.
The most common and intrusive researchers call replay scripts of six services, including solutions from FullStory, Hotjar, Yandex and Smartlook. By default, the scripts of these companies record all the data that users enter in various forms, including name, email address, phone number, social security number, date of birth. Smartlook and UserReplay solutions even record passwords that visitors enter in the designated fields, and also “record” the last four digits of bank card numbers. The video below demonstrates data interception in the execution of the FullStory script.
Experts admit that these services in themselves cannot be called illegal, moreover, they provide site owners with the ability to automatically or manually customize their solutions so that data collection is carried out more correctly and is not so comprehensive. But, as a rule, you need to spend a lot of time and effort on setting up, besides, configuring scripts requires certain technical skills. Plus, according to experts, Yandex, Hotjar and Smartlook control panels use HTTP, that is, all data about user sessions, initially protected by HTTPS, as a result, remain without encryption and protection. Obsessive surveillance can be found not only on such large portals as microsoft.com, adobe.com or godaddy.com, but also on sites from which you should not expect this. For example walgreens. com was convicted of collecting medical information from visitors and even “recording” prescription data (and then transmitting that data to FullStory). Another example, the site of the Bonobos company, which "leaked" the full numbers of visitors' bank cards, also in favor of FullStory.
According to Motherboard and Wired, after the publication of the report of experts, both companies have already abandoned the use of FullStory solutions. Representatives of Yandex, Hotjar and Smartlook, that is, companies caught in the use of HTTP, also assured the journalists that they are already solving this problem, and in the very near future the services should switch to using HTTPS.
