Watch out! Popular websites can record your keystrokes

So you are seeing similar product ads that you were shopping or searching online a while ago? Wondering how did all those websites you are surfing know about what you were shopping for all these days? Well, blame your browser(s).

It’s nothing new that websites, ISPs and governments have been monitoring almost everything that you do on the internet. While ISPs usually have a larger record of what you do and where you head on the internet, most websites used cookies to monitor your online behavior so that they can target you with advertisements and spam. However, a new research findings from Princeton University states that there’s more than just monitoring cookies. Motherboard reported the research highlights some scripts used by 400+ most popular websites which enables the websites to log and playback everything that the user has typed on the website.

Three researchers from Princeton’s Center for Information Technology Policy (CITP) explained how third-party scripts run on many of the world’s most popular websites, and are able to track every keystroke and then send that information to a third-party server.

‘Facebook users were outraged in 2013 when it was discovered that the social network was doing something similar with status updates—it recorded what users they typed, even if they never ended up posting it,’ reported Motherboard.

The scripts in question are called ‘session replay’ scripts, which are used by companies to gain insights on how the customers are using their websites and/or to analyse confusing webpages. However, the scripts are not just general stastics. They have the ability to playback individual browsing sessions. Scrips don’t run on every page, but are often placed on particular pages which have sensitive information such as usernames, passwords, medical conditions, etc.

One of the researchers stated that the user will find it difficult to understand the reason behind it, unless they dug deep into the website’s privacy policies.

Below is a sample video of how the scripts are being replayed by a company called FullStory.

Motherboard reported ahead stating, ‘most troubling is that the information session replay scripts collect can’t “reasonably be expected to be kept anonymous,” according to the researchers. Some of the companies that provide this software, like FullStory, design tracking scripts that even allow website owners to link the recordings they gather to a user’s real identity. On the backend, companies can see that a user is connected to a specific email or name. FullStory did not return a request for comment.’

‘To conduct their study, Englehardt, Gunes Acar, and Arvind Narayanan looked at seven of the most popular session replay companies including FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and Russia’s most popular search engine Yandex. They set up test pages and installed session replay scripts on them from six of the seven companies. Their findings indicated that at least one of these company’s scripts is being used by 482 of the world’s top 50,000 sites, according to their Alexa ranking,’ added Motherboard.

Highly prominent companies use the scripts. These include include men’s retailer Bonobos.com, Walgreens.com, and financial investment firm Fidelity.com. 482 websites might be a low estimate and it is likely that these scripts don’t record every user that visits the site. Popular websites that utilise session replay scripts documented by the researchers are listed here.

What researchers claim is that most troubling is many of these scripts cannot be kept reasonably anonymous. These scripts could also be designed to gather user’s real identities, where the company can see specific emails and names of the user who is on the website.

While some companies replied to the researchers that user information will be outmost confidential on their end, other companies did not reply to their queries. The researchers are worried that session script companies could be vulnerable to online attacks, and the highly-valued data could cause another online cyber-catastrophe. Good news is that popular ad-blocking tool AdBlock Plus can protect you against such type of session replay scripts; but for how long?