The technique, known as session repetition, is used by companies to understand how customers use websites, although experts question the legality of using such software without the user’s consent.
“Record these scripts keystrokes, mouse movements and scrolling behavior, along with the entire contents of the pages you visit, and send them to third – party servers” are words of the researchers . “The collection of content of the page through third-party playback scripts can cause sensitive and personal information to leak to third parties and this can expose users to identity theft, online scams and other unwanted behavior. ”
To carry out the study, the researchers analyzed seven companies that offer session repetition software: FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar and Yandex and discovered that 482 of the 50,000 best sites in the world used scripts provided by one of these signatures
Companies that use the software include the UK news website Telegraph, Samsung, Reuters, Home Depot and CBS News.
“The first area of concern here is the legality of registering the keystrokes of people without first informing them of the fact,” said Paul Edon, director of security firm Tripwire. “If these websites do not alert the user to the fact that they are registering keystrokes, then I classify this under ‘nefarious activity’ since it is less than honest, and the information is collected without the knowledge of the user.”