482 of the Alexa top 50,000 sites are recording their users' every moves, keystrokes and mouse movements included. This data is then sent to an analytics dashboard, not all times in a secure manner.
In the analytics business, such data is called a session replay. Experts argue that an attacker could intercept this data in transit, or steal it from unsecured analytics dashboards to review user input and extract sensitive information.
Nicknamed session-replay attacks, such scenarios are possible because analytics firms that provide user session recording services do not discriminate when it comes to the data they log.
Researchers from Princeton University wrote in a report released last week that they found session recording providers that logged passwords, credit card details, phone numbers, SSNs, dates of birth, and other information.
Some analytics providers record this information before the user hits submit inside a form, and even after every keystroke or mouse movement.
Experts said that some of the most intrusive session tracking scripts are provided by services such as FullStory, Hotjar, Yandex, and Smartlook, which appeared to log everything the user did on a page.
Even if other analytics firms provided mechanisms so that site owners could exclude sensitive form fields from user tracking, errors and bad implementation still sent sensitive user data to analytics dashboards.
The danger to end users comes in cases where a website operator loses access to his account. Because session tracking scripts track more than they're supposed to, an attacker who gained access to such an account has access to the passwords of tens or hundreds of thousands of users, if not more.
Furthermore, dashboards for analytics services like Yandex, Hotjar, and Smartlook are delivered via HTTP, revealing that some of these services don't really pay attention to modern security practices.
According to Princeton researchers, some of today's biggest companies engage in user session recording.
Researchers say they found user session recording scripts on sites such as Yandex, Microsoft, Adobe, GoDaddy, Spotify, WordPress, Reuters, Comcast, TMZ, and others. Most worrisome, some of the tracking scripts showed up in the web domains of IM and data sharing apps such as Skype and Evernote. A full list of all the 482 major websites caught using user session recording scripts is available here.
User session recording is not an insecure practice per-se, if done right. Website operators implement session recording whenever they want to know how site visitors interact with the site, UI elements, or promotions.