Some of the world’s most popular websites are logging everything you type and sending the data to third party servers, a shocking new study has discovered.
Researchers at Princeton University said that more than 480 of the most visited websites were running third party “session replay” scripts that record every letter typed and every click.
The data is then sent to third party servers which potentially means data companies have access to your credit card details, medical conditions and other private information.
The session replay scripts were found hidden on hundreds of websites, including those for Microsoft, Spotify, WordPress, Adobe, British Airways, Skype and Western Union.
The scripts are used to record keystrokes, mouse movements and scrolling behaviour on websites.
The researchers looked at seven firms which provide the session replay scripts – Clicktale, FullStory, Hotjar, SessionCam, Smartlook, UserReplay, and Yandex.
The idea behind scripts was to help website owners gather information on how a user interacts with a web page, and to help discover if a web page is broken or is confusing for visitors.
However, rather than recording general user data and statistics, the scripts record entire individual browser sessions
The researchers warned that recording this kind of data, even if it is kept anonymous, is dangerous and puts users at risk.
“Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder, said Steven Englehardt from Princeton University.
“Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording.
“This may expose users to identity theft, online scams, and other unwanted behavior.
“The same is true for the collection of user inputs during checkout and registration processes.’”
You can find a list of all the websites using session replay scripts here
You can read the full report here