According to a new research paper released by Princeton University earlier this month, many of the webs largest and most popular websites are secretly recording every move their visitors make. Furthermore, research indicates that not only are users completely unaware this is happening, but the data these companies/websites record and transmit is more often times than not unsecured and vulnerable to being intercepted by 3rd parties, such as hackers or Government agencies.
View Princeton’s Research Here: https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/
According to the report, “482 of the Alexa top 50,000 sites” are recording their users every move, including things like the “pages you visit, searches, logged passwords, credit card details, phone numbers, SSNs, dates of birth” – even “keystrokes and mouse movements.” Making matters worse, researchers only discovered this information after they were able to intercept the data themselves, revealing just how insecure data transactions are on these particular websites.
UPDATE: we've released our data—the list of sites with session-replay scripts, and the sites where we've confirmed recording by third parties. https://t.co/ndNb2mJrqE
— Arvind Narayanan (@random_walker) November 20, 2017
As for why this data is being recorded in the first place, websites and services do this in order to gain valuable feedback about their customers, how they interact with the websites and what areas of the site can be improved. In this way, the software behaves like a more advanced version of Google Analytics. However, the problem comes in how much data is actually being stored and how the software then communicates this information back to the sites owners.
Not only do at least some of these sites directly link user activity logs to peoples real life identities but, as this information is being transmitted back to the companies, it is not encrypted and is therefore not secured. This essentially leaves peoples most private and personal information out in the open for anyone to find, hence Princeton’s findings throughout the course of 2017.
As was reported by Catalin Cimpanu of Bleeping Computer, “Researchers say they found user session recording scripts on sites such as Yandex, Microsoft, Adobe, GoDaddy, Spotify, WordPress, Reuters, Comcast, TMZ, and others.” Adding that “Most worrisome, some of the tracking scripts showed up in the web domains of IM and data sharing apps such as Skype and Evernote.”
Cimpanu goes on to explain that “The danger to end users comes in cases where a website operator loses access to his account. Because session tracking scripts track more than they’re supposed to, an attacker who gained access to such an account has access to the passwords of tens or hundreds of thousands of users, if not more. Furthermore, dashboards for analytics services like Yandex, Hotjar, and Smartlook are delivered via HTTP, revealing that some of these services don’t really pay attention to modern security practices.”
Full List of Websites Indicated: https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
On a separate but similar note, over the course of 2017 I have personally documented multiple websites which do not utilize SSL certificates. Most note-ably among them are CNN, Al Jazeera, Middle East Eye, The Hacker News, and Weather Channel. Much like the data transactions referenced by Princeton’s study, SSL certificates encrypt the traffic of individual users whilst using/browsing through a website. This means that without an active SSL certificate in place, the traffic of anyone whom visits the aforementioned websites is vulnerable to interception and can be recorded by 3rd parties, theoretically at any moment in time.
What makes this even more interesting is that SSL certificates are often times cheap and in some cases, can even be obtained for free. For this very reason, it is certainly curious why many of the worlds largest, most profitable and widely visited news organizations do not utilize SSL certificates on their site. I have personally reached out to some of these companies for a comment on this matter, but have yet to receive a response from a single one of them.
Categories: Hacking News