web firms record keystrokes of users

According to the study from Princeton University, more than 480 websites use technique of session replay to gain an understanding of how customers use websites. 

Study says that Hundreds of web firms are tracking every single keystroke made by visitors. Experts questioned the legality of using such software without user’s consent.”These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and may be send them to third-party servers.

The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations. Text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous.

As per record by researchers in website : jagat  Analysis of seven of the top session replay companies (based on their relative popularity in our measurements ). The services studied are Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam. They found these services in use on 482 of the Alexa top 50,000 sites.Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording.

This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.

Following are the red lines  :

1. Passwords are included in session recordings.

2. Sensitive user inputs are redacted in a partial and imperfect way.

3. Manual redaction of personally identifying information displayed on a page is a fundamentally insecure model.

4. Recording services may fail to protect user data.

Firms using the software included the UK’s news website the Telegraph, Samsung, Reuters, US retail giant Home Depot and CBS News.Paul Edon, director at security firm Tripwire said: “The first area of concerns here is the legality of recording people’s keystrokes without first informing them of the fact.If this is so reliability of users on to the websites bleaks to the point of negativity.

 

Advertisements

320 million password revealed – are any of them yours

Hello friends, I am backkkkk

A website developed by an Australian Mr. Troy Hunt (a security expert) and run by him. This site shows whether your email address has been stolen in a hack.

The link to the site is here

https://haveibeenpwned.com/passwords

or simply http://www.haveibeenpwned.com (as shown in the pic)

untitled

Here 320 million passwords gathered from dozens of world’s biggest data breaches been available. You can visit the site and check whether yours is or not.

If it is so then definitely change your password applying with more security options and if not pwned then lucky enough.

The word pwned is internet slang for owned which means to take advantage of someone. A hacker who has pwned you has stolen your data (mostly date of birth, interests, hobbies some times secrets also)

The site is easy to use : Simply type an old password , (not the current one) then press enter. If you are not pwned that doesn’t mean that you are safe enough,your safety depends on your alertness. It may be the chance that you are not indexed by the site.

You can also download passwords from the database from the site approx. 5.5 gb file. Hunt wrote in his blog that the site can be proved useful to every techsavvy as well as tech user or all sorts.

Ideally password should be at least of 15 characters with all sort of figures,alphabets,(caps and small) symbols/characters etc. so that safety is maintained as priority.

thanks for bearing

Jagat