Researchers at the Center for Information Technology Policy (CTIP) at Princeton University surveyed more than 400 websites in a study, much of which is known and frequently frequented. They found that in many places a so-called session replay script is used, which should normally provide information on user behavior.
Also Read: Facebook Moments have a standalone website
The problem here is that in the session replay the path of the user on the respective website in detail is traceable, where appropriate, his inputs are recorded. If you fill out a form or enter your credit card information, this information can be retrieved by session replay in its purest form from the respective website operator, even if they are actually encrypted and migrate to the respective database.
In some cases, the data is displayed in so-called dashboards that do not require much security. In addition, errors are also recorded by personal, actually secret data, if the respective script is actually configured so that this information should be left out. Actually, the approach is well known and perhaps therefore widely used, but users often do not know that the technology is being used on a particular website.
Also Read: 10 Easy Ways To Speed Up WordPress Website
The number of sites on which Session Replay is deployed is expected to be significantly higher than the approximately 400 examples that researchers found when analyzing the 50,000 most-used Web sites. According to the security specialists, a large number of sites show signs of session replay scripts, and the operators also include well-known companies. As examples, they mentioned the websites of HP, Intel, Lenovo, Norton and Opera. Also on the Russian Facebook counterpart, VK.com session replay is to be used on a broad front.
Also Read: 20 ways for doing best SEO for your website or blog
Theoretically, this way you can also track input in web-based chat clients, which are often used in social networks, they say. Also, mouse clicks and other inputs are recorded by session replay, even if the entered texts are not transmitted to the respective website and stored there. Passwords and similar information may also be collected if the session replay script configuration has not been adjusted accordingly.