Stories
Slash Boxes
Comments

SoylentNews is people

Exfiltration of Personal Data by Session-Replay Javascript

posted by Fnord666 on Saturday November 18 2017, @10:18PM   Printer-friendly
from the monkey-see-monkey-do dept.

canopic jug writes:

The Freedom to Tinker has a post on using Javascript to facilitate the exfiltration of personal data by session-replay scripts.

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations [1]; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can't reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user's real identity.

Though the post refers to scripts added by the web server intentionally, if third party, such an ISP, competiting company, or government agency, is in control of a certificate already loaded into a target's browser, either overtly or covertly, a Man-in-the-Middle attack is trivial with SSL/TLS and exfiltration scripts can be sent as payload. If you want to see the latency burden that even ostensibly well-behaved scripts cause, press ctrl-shift-i in the browser, select "network" and then reload the page.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Exfiltration of Personal Data by Session-Replay Javascript | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by takyon on Saturday November 18 2017, @10:59PM (1 child)

    by takyon (881) <takyonNO@SPAMsoylentnews.org> on Saturday November 18 2017, @10:59PM (#598778) Journal

    Whenever I use a link to Washington Post and some other sites, I add an (archive) link next to it (WaPost paywall can be easily beaten, but whatever). They are also known by the domain archive.fo.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Informative) by Anonymous Coward on Saturday November 18 2017, @11:28PM

    by Anonymous Coward on Saturday November 18 2017, @11:28PM (#598787)

    Yup. (Faroe Islands.)

    The original site is in Iceland (.is).
    They also have servers in Liechtenstein (.li) and the European Union (.eu).

    .
    Additionally, archive.org respects changes to robots.txt by malicious actors and will disallow access.
    archive.is, archive.li, archive.fo, and archive.eu couldn't care less about robots.txt.
    Once they have a copy of the content, it won't be blocked by them.

    You can also use it as a proxy.
    Packets will carry the metadata of -their- stuff.
    (I've seen a notice on a page that they rendered which said that [browser name (not my browser; their browser)] is not fully supported.)

    -- OriginalOwner_ [soylentnews.org]