iSpy Keylogger sold on dark web for $25 found targeting passwords, webcams and Skype
Instead of recording general statistics about users’ behaviour, the scripts record and can also replay entire individual browsing sessions iStock

Researchers at Princeton University have found that over 480 globally popular websites are keylogging data and sending it to third-party servers. Some of the most popular and heavy-trafficked websites in the world were found running third-party scripts called "session replay" scripts, that can track users' every letter typed and every click and more which in turn were sent to third-party servers across the globe.

The researchers' revelations indicate the invasive extent to which users' online activities are tracked. In the first instalment of a series titled "No Boundaries", researchers from Princeton's Center for Information Technology Policy (CITP), said even in instances where users have visited a site to fill an online form, but left it incomplete and abandoned it, every single letter typed is recorded.

The researchers studied seven of the most popular session replay firms - FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and the highly popular Russian search engine Yandex. The study's findings revealed that at least one of the firms' scripts is being used by 482 of the world's top 50,000 sites, according to Alexa's ranking.

Click here to check out the list of websites using session replay scripts.

What is session replay?

According to the researchers, "session replay" scripts are commonly used by companies to help them understand how their customers are using the firms' sites. However, instead of recording general statistics about users' behaviour, the scripts record and can also replay entire individual browsing sessions. The researchers say the scripts are often found on pages where users input their sensitive information, including passwords, credit card data and medical condition.

"These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers," the researchers said in a blog.

Motherboard reported that firms like Fullstory that provide such user-tracking software, also design tracking scripts that allow companies to connect a user's real identity with the data collected. This means, by using such software, companies can see a user linked to a specific name and/or email.

"Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording," the researchers added. "This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes."

Companies using session scripts could be at risk of hacking attacks

Motherboard reported that the researchers are concerned about companies using session scripts being vulnerable to targeted hacks, especially given how hackers would likely consider them high- value targets. In case of Yandex, Smartlook and Hotjar, which run HTTP instead of the more secure and encrypted HTTPS pages, researchers believe hackers could launch a man-in-the-middle attack to "extract all of the recording data".

Fortunately, users can block session replay scripts using the popular ad-blocking tool AdBlock Plus. As a result of the revelations brought to light by the Princeton University researchers, AdBlock Plus issued an update to block all session replay scripts.