482 Top Alexa Sites Track Every Step and Keystroke of Visitors
If you’re feeling paranoid, it doesn’t mean you’re not actually being watched. This well-known saying has once again been confirmed by researchers at Princeton University. The experts published a report revealing that hundreds of the world’s 50,000 most-visited websites, according to Alexa, track every move their visitors make—and often act as keyloggers.
The researchers found special scripts, known as session replay scripts, on 482 sites. These scripts are provided by third-party analytics services to website owners. Originally, these tools were designed to improve user experience, helping companies better understand their users and tailor their services. However, these scripts essentially allow the entire user session to be replayed, including every click, scroll, and keystroke. The full list of sites spying on their users can be found here.
Sites Rarely Warn Users About Tracking
Experts note that sites using these intrusive tracking methods almost never warn their visitors. Moreover, the actual number of such sites is likely much higher, since the researchers only examined the top 50,000 sites and did not look beyond that.
“Data collection by third-party replay scripts can lead to leaks of confidential information, such as medical data, credit card details, and any other personal information displayed on the page,” the analysts write. “As a result, users may become victims of identity theft, online scams, and other types of fraud. The same applies to data entered by users in forms during registration or checkout.”
The Most Aggressive Session Replay Services
The most common and intrusive session replay scripts come from six services, including FullStory, Hotjar, Yandex, and Smartlook. By default, these companies’ scripts record all data users enter into forms, including full names, email addresses, phone numbers, Social Security numbers, and dates of birth. Smartlook and UserReplay even record passwords entered into password fields, as well as the last four digits of credit card numbers. The video below demonstrates data interception by FullStory’s script:
Security Concerns and Lack of Encryption
Experts acknowledge that these services themselves are not necessarily illegal. In fact, they allow website owners to configure their settings to collect data more appropriately and avoid excessive data gathering. However, proper configuration requires significant time and technical skills. Additionally, according to the researchers, the admin panels of Yandex, Hotjar, and Smartlook use HTTP instead of HTTPS, meaning all session data—even from users originally protected by HTTPS—ends up unencrypted and unprotected.
Major Sites and Sensitive Data at Risk
Intrusive tracking can be found not only on major portals like microsoft.com, adobe.com, or godaddy.com, but also on sites where you might not expect it. For example, walgreens.com was caught collecting visitors’ medical information and even recording prescription data (which was then passed on to FullStory). Another example is Bonobos, which leaked full credit card numbers of visitors, also to FullStory.
According to reports from Motherboard and Wired, after the researchers’ report was published, both companies stopped using FullStory’s services. Representatives from Yandex, Hotjar, and Smartlook—companies found to be using HTTP—also assured journalists that they are addressing the issue and will soon switch to HTTPS.