Researchers Steve Englehart, Gunes Acar, and Arvind Narayan looked at the seven top session replay companies that provide the scripts used on many of these websites. These were Clicktale, FullStory, Hotjar, SessionCam, Smartlook, UserReplay, and Yandex.
The stated objective of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages.
According to the researchers, "session replay" scripts are commonly used by companies to help them understand how their customers are using the firms' sites.
Collection of page content could lead to the leaking of information about medical conditions, credit card details, and other personal information, the researchers pointed out.
"These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers", the researchers said in a blog.
"This may expose users to identity theft, online scams, and other unwanted behaviour. The same is true for the collection of user inputs during checkout and registration processes", the CITP researchers explain.
But, say researchers at Princeton University, this is exactly what is happening.
However, the scripts don't discern between information that would be helpful for improving the user interface of the site and information that is personal in nature and shouldn't be shared-they simply collect every part of a user's session, potentially exposing information to third parties that was never meant to be shared.
The second vulnerability is "sensitive user inputs", which are redacted in a partial and imperfect way.
Websites like men's retailer Bonobos; general store and pharmacy Walgreens; financial investment firm Fidelity, telecommunications providers Xfinity, Comcast and T-Mobile; clothing retailer Gap; tech firms Intel and Lenovo were all found to have at least one of the session replay scripts.
The third vulnerability is "manual redaction of personally identifying information", which is displayed on a page, making it "a fundamentally insecure model". Because session tracking scripts track more than they're supposed to, an attacker who gained access to such an account has access to the passwords of tens or hundreds of thousands of users, if not more. They are created to monitor how visitors interact with a site to help gather information that could improve page design, and the incredibly extensive data that is collected is sent off to a third party for analysis.
"Recording services increase the exposure to data breaches, as personal data will inevitably end up in recordings".