Well over 400 high profile websites are collecting all the keys that you’ve pressed, and it turns out that most of them don’t even know about it.
When we hear the word keylogger, we imagine some sort of nefarious software installed on computers, without the knowledge of the users, collecting data regarding the keys pressed and sending them to third parties. That’s so yesterday, and we really miss those times.
It was clear that keyloggers were evil and that they could be dealt with the help of an antivirus software for example. Now, we’re living in a new world and keyloggers are embedded in websites, and there’s nothing that the users can do about them. Most of the time, people don’t even suspect that what they are tying is being recorded.
Not your average and shady website
You must also imagine that only websites of questionable repute are subject to such practices, but that that’s not the case. According to a study from Princeton University’s Centre for Information Technology Policy (CITP), more than 400 websites, many of which are well known, are actually gathering a lot of information, including keystrokes and mouse clicks.
The method is well known, but it’s also not something that most users would expect. What makes matter a little bit worse is that the people in charge of the some of the websites didn’t even know.
It all comes down to something called “Session Replay Script,” which is normally used to gather data regarding user engagement. In theory, the data can be used to improve the end-user experience, after the website developers analyze it.
Here is where everything takes a bad turn, making things much worse than just recording keys. Some of the data recording includes passwords, and they end up in dashboards that are not even HTTPS secured.
That data should be redacted, meaning that things like passwords, usernames, or just names don’t reach third parties, but that doesn’t work all the time.
The researchers from Princeton identified more than 400 websites in the top 50,000 in the world that have this kind of script installed and working. Some of the websites are not a surprise, such as VK. If you’re logging in a Russian website, you should expect that everything you write is being logged.
On the other hand, when you’re using HP, Xfinity, Comcast, Norton, Lenovo, Intel, The Telegraph, or Opera.com, you shouldn’t expect to be recorded. And these are websites that show evidence of active session recording. There are a lot more that have the script, but it’s not known whether things are recorded or not.
After the research was published, some of the websites acknowledged the existence of the script and said that they are going to stop using it. Others didn’t even know that the script was implemented. And that should be just as scary as everything else.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.