Website User Tracking 'A Major Security Risk'

John Lister's picture

More than 400 leading websites could be compromising user security by collecting everything the user types - whether or not the user is aware. A Princeton University study also found the collected information was not always adequately protected and anonymized.

The problem highlighted by the study was the use of third-party tools that website owners can use to find out more about how people navigate their site. These tools often track precisely where the user moves a mouse cursor along with information they type in, even if they then delete it.

In principle these "session replay" tools can be valuable for the sites and users alike. They can often highlight confusing page designs that people struggle to navigate or web forms where users misread which information goes in which box.

Data Collected Can be Leaked

The researchers looked at sites which use at least one of six of the leading "session replay" services. They used an automated process to look through the code of the 50,000 leading websites and found that 482 were definitely using one of the services. (Source: princeton.edu)

The most serious problem was improper configuration of the tools, meaning that sensitive data such as passwords, card details or medical information could inadvertently be passed on to the company providing the session replay service.

While there's no suggestion these companies were deliberately trying to get these details, this creates an addition risk of a security breach exposing the data. It could also create both legal and moral complications with website users not knowing and not expecting their data to be passed on this way.

Walgreens Stops Using Tools

Another problem was that while both the website users are visiting and the collection tools are entirely secure and encrypted, the pages the site owners visit to see the data collected about their site are not always secure. This creates a risk of data being intercepted.

The researchers also noted that although session replay services use both automated and manual "scrubbing" to remove any personally identifying information, the sheer amount of data being collected means this doesn't always work as intended.

Several leading businesses, including Walgreens, have responded to the report by immediately disabling the services pending further investigation. (Source: ndtv.com)

What's Your Opinion?

Do the security risks of session replay tools outweigh the benefits? Does the practice need tighter regulation and security controls? Should sites be forced to reveal if they use session replay tools?

Rate this article: 
Average: 5 (6 votes)

Comments

HALLANE_10197's picture

Will doing the following defeat these Session Replay Service site attempts to capture my data?
I'm planning on putting pairs like these in my hosts file:

0.0.0.0 mc.yandex.ru
0.0.0.0 insights.hotjar.com
0.0.0.0 clicktale.net
etc.

The domain names I extracted are listed on this page:
https://gist.github.com/gunesacar/0c67b94ad415841cf3be6761714147ca
referenced at the "here" link in the "Methodology" section on the *princeton.edu* page given in John Lister's Nov 22nd "Website User Tracking..." article.

I'm also seriously considering adding these pairs to my "hosts" file:
0.0.0.0 www.facebook.com
0.0.0.0 facebook.com
0.0.0.0 twitter.com
0.0.0.0 linkedin.com
0.0.0.0 plus.google.com
0.0.0.0 reddit.com
0.0.0.0 getpocket.com

I don't use any of these sites.

My understanding is that the above sites track my use of all pages that have their logos/icons on them, right?

Will using my "hosts" file like this work?
Thanks for your reply!

sytruck_8413's picture

looking at this site is seems that will work:

http://winhelp2002.mvps.org/hosts.htm

I use this without any difficulty. Occasionally a site will "remind" me that I have blocked part of their page.

buzzallnight's picture

No one should be able to put anything on your computer without you knowing about it.

And nobody should be able to display anything on your computer that you can't copy.

matt_2058's picture

Nothing but trouble. I thought tracking page viewing data had been around for a little while. Hasn't that stuff been in play for ads for years?