Your Password Could Have Been Collected by a Web Analytics Tool. Here's What You Need to Do

Many website owners use Web analytics tools to gather information that would help create a better user experience for their visitors. Thus, such applications are programmed to gather various data about the user's browsing habits. Unfortunately, recently it was noticed that instead of only collecting data about user behavior some of these tools gather sensitive data like passwords too. This means the website's owner using such a tool could accidentally steal passwords or other data alike from his visitors without realizing it. If you continue reading our blog post, we will explain to you how Web analytics tool records passwords and what measures you should take if you want to keep your passwords and other sensitive information private while surfing the Internet.

What is a Web analytics tool?

Usually, a Web analytics tool collects and analyses information about the website's visitors' behavior like search keywords or visited pages. Gathering such data helps the website's owners get a better understanding of their customers' or visitors' needs. As a result, they can optimize their websites and help their visitors find the content they look for faster or add new content users may hope to see on the site. However, lately, more and more web page owners employ the so-called session replay scripts that allow gathering user keystrokes or record mouse movements and even scrolling behavior. The problem is, it appears to be, some Web analytics tools record data they are not supposed to gather, for example, credit card information. Additionally, they can steal passwords from users. Even though the one using such tools may have no intention of gathering or using the collected data, it is possible it could be accidentally leaked as many sites share it with their third-party partners.

How Web analytics tool records passwords and how dangerous it could be?

The flaws in some of the Web analytics tools was detected by researchers from Princeton's Center for Information Technology Policy who shared their discovery on the mentioned research center's blog. According to them, the discovered flaws could expose users to online scams and even identity theft as some of the Web analytics tools using the earlier mentioned session replay scripts could gather information about the user's medical condition, credit card's details, and other sensitive data alike.

Furthermore, after studying seven different session replay companies (Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam), the researchers noticed that even though all of them attempt to prevent password recording by excluding passcode input fields, in some cases data from them might be still collected. Meaning the rules that should prevent sensitive data collection do not always apply, and as a consequence, the researched tools end up collecting data they should not or stealing passwords. For instance, some of the session record scripts do not collect passwords, unless they are written in clear text because then the program no longer identifies it as sensitive. Usually, when you type a passcode, it is displayed in hidden characters, but if you click the display the password button some websites provide, it becomes written in clear text, and it could be collected.

What is being done to stop Web analytics tools from stealing passwords?

Once the researchers shared their discoveries with the public and companies developing the researched tools, some of their owners began looking for ways to stop their tools from stealing passwords or other sensitive data. Nonetheless, even though some of the companies took immediate actions, it may still take some time before the accidental private data collection will be stopped, which is why we firmly believe users should learn about extra precautions they can take to protect their privacy themselves.

How to stop Web analytics tools from recording your passwords and other sensitive data?

It looks like it is possible to stop web pages using these untrustworthy Web analytics tools from gathering your private data by not allowing them to monitor you. The easiest way to do this is to get a reliable ad blocking tool. Also, it is said some of these tools that have the described flaws steal passwords only if the user clicks the button allowing to see the password, so if you do not want to risk your passcode being collected by the pages you visit, you should not use the see password feature.

What's more, we could suggest using a dedicated password manager application like Cyclonis. It allows users to save passwords and then auto-login to sites without having to type any login credentials. In fact, the software can save information like your credit card or identification card details and submit them into needed fields for you as well. This way, the information could not be taken even if the site would record user's keystrokes as fields would be filled automatically. Storing passwords or other information on the password manager is safe as all of this data is kept in an encrypted vault created on the user's device or chosen cloud storage. Plus, there are various safety measures. For example, users can enable settings allowing to view passwords or log in automatically only after submitting the user's master password. For more information about Cyclonis, you could continue reading here.

To conclude, incidents like this show we can never let our guard down. Whenever shopping online or creating a new account, we cannot know how the sensitive information the website may require to enter could backfire at us in the future. Users should always think carefully before submitting any confidential information and provide it only if it is necessary.

October 24, 2018