Session replay scripts video record your activity as you browse a website

November 27, 2017By Bjoern Greif

Princeton researchers have discovered tracking scripts on hundreds of websites that record, in real time, your keystrokes, mouse movements, and scroll action – even before you hit submit and even if you delete entered data.

Interested in having dozens of company representatives look over your shoulder while you visit a pharmacy, shop for clothes, make a purchase, or book an appointment? Certainly not! Nonetheless, this is exactly what happens every day on the internet. Increasingly, websites are embedding so-called “session replay scripts” that record your keystrokes, mouse movements and scroll activity in video form and sending them straight to tracking companies, who in turn make them available to the site operators.  Session replay scripts are pieces of code designed to record and play back individual browsing sessions so that interested parties can evaluate them in detail. A site operator may utilize these, for example, to find out how visitors interact with their page or if some items are broken or confusing.

It may sound harmless enough at first. In reality, however, the extent of data collected by these tracking services far exceeds user expectations, necessity, and what can be safely protected, according to researchers at Princeton University. Out of 50,000 most-visited websites (data taken from Alexa), 482 were found to have session replay scripts embedded. In the following study, they analyzed the most frequently found session replay scripts provided by Yandex, FullStory, Hotjar, Smartlook, Clicktale and SessionCam.

The scripts from FullStory, Hotjar, Yandex and Smartlook are highly intrusive. They record by default all input typed into form fields that yield personal information, such as fields for name, e-mail address, phone number, physical address, Social Security number and date of birth. This collection occurs even before users submit the form, and even if they delete the entered data. Mouse movement is also video recorded without knowledge and consent. Researchers conclude that this kind of data cannot reasonably be expected to be kept anonymous – in fact, some tracking companies even allow site operators to explicitly link recordings to a user’s real identity.

Even health information and credit card data are recorded

“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording,” explains Steven Englehardt, one of the study’s authors. Some of this data comes from session replay scripts that target and collect user inputs during checkout and registration processes. Possible consequences are grave: identify theft, online scams, unethical monitoring, and other malicious behavior.

 

According to Englehardt, website operations may be able to automatically or manually determine what sensitive information should be excluded from recordings. The required tools in many cases nonetheless require large amounts of developer time and skill, and even then, sensitive user inputs are often masked in a partial and imperfect way. The complicated redaction process can fail even for sites with a strong legal incentive to protect user data.

The popular pharmacy store chain, Walgreens, is cited as an example. Despite “extensive use of manual redaction for both displayed and input data,” Walgreens still leaked sensitive information including medical conditions, prescriptions, and user names to FullStory (according to the pharmacy, the site has now ceased sharing information with them). A similar case occurred with apparel company Bonobos, who sent FullStory complete credit card details letter-by-letter from their account page, including card number, expiration date, CVV, name and billing address.

Ghostery found the screen recording trackers FullStory and Hotjar on bonobos.com.

Ghostery found the screen recording trackers FullStory and Hotjar on bonobos.com.

FullStory’s client list also contains popular healthcare portal Zocdoc, through which users book doctor appointments and enter medical information. Though an analysis by Ghostery shows FullStory is not currently implemented on Zocdoc’s site, it reveals Crazy Egg, another company that offers screen recordings and “heat maps” that track user activity on the page. In any case, screen recordings on Zocdoc could divulge some highly private information.

Zocdoc has implemented Crazy Egg, which also does screen recordings.

Zocdoc has implemented Crazy Egg, which also does screen recordings.

Adding insult to injury, providers of session replay scripts could entirely fail to protect collected user data. For example, Yandex, Hotjar and Smartlook all offer dashboards that use unencrypted HTTP when their clients replay visitor sessions, regardless of whether the original sessions were HTTPS protected, making it easy for attackers to gain access to the recorded data.

Ghostery blocks session replay scripts

Ghostery’s anti-tracking tool, available as a free extension for all popular browsers – including Cliqz – blocks all of the aforementioned session replay scripts. Ghostery’s database also contains the known screen recording trackers Tamboo, Inspectlet, Mouseflow, Lucky Orange, Mousestats and Seevolution. As a Ghostery user, you can ensure that your activities on a website are not recorded by these companies.