
No boundaries: Exfiltration of personal data by session-replay scripts - ploggingdev
https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/
======
mindslight
Home Depot does this in a way that consumes my whole upload bandwidth,
dragging down the entire connection (moved and haven't gotten around to
reintegrating the proper router with tc(8)). As a result, I've moved towards
using Lowes to spec things out, even though it's a 45 minute drive and their
products are of generally inferior quality. Good job, surveillance parasites -
you're starting to kill your hosts!

(I'm sure Lowes is or will be doing something similar, as faux-competition
duopolies tend to move in lockstep. But the outright callous boneheaded
execution still amazes me).

------
skrebbel
To be fair, FullStory spends a lot of time in their onboarding, UI and docs
encouraging you to check and double check that anything sensitive is excluded.
They broadcast this message so clearly that it's obvious that they take
privacy seriously (or, about as seriously as any over-the-shoulder-peeking
service could), and they strongly encourage their users to adopt the same
stance.

This article makes it seem like their defaults are the only exclusion settings
possible, which is very far from the truth.

I feel like FullStory is being blamed for trying to provide some minimal
default exclusion settings at all. I assume the same holds for competing
services.

I'm not saying that this means the core premise of this is wrong: there's many
things to dislike about session recording services. But the article goes on
and on about a few defaults, instead of focusing on the dangers of the core
concept and loses the argument that way IMO.

~~~
kevinconroy
Yes, the on boarding for FullStory is excellent and they go out of their way
to help you try to get it right. Odds are you'll end up doing a better job at
protecting privacy in FullStory than in your own log files, but YMMV.

------
seiferteric
Does anyone know if ublock origin blocks this kind of stuff? Yet another
reason to never disable it. I'm starting to realize it's a lot more than an ad
blocker, but more like a firewall to protect the client against malicious
sites with crypto miners, trackers and this stuff...

~~~
englehardt
Hi, one of the authors here. We discuss this in the last section of the post.
uBlock Origin uses lists to determine which requests to block. We tested the
two largest, EasyList and EasyPrivacy, and both fail to block scripts from
FullStory, Smartlook, and UserReplay.

~~~
gorhill
I suggest uBO's medium mode, this blocks 3rd-party scripts by default.

[1] [https://github.com/gorhill/uBlock/wiki/Blocking-
mode:-medium...](https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-
mode)

~~~
alinspired
thank you for suggestion in this unexpected place. i wish i knew of this uBO
feature before!

------
kevinconroy
+1 for highlighting the privacy concerns, but -1 for blaming the software for
not having strong enough defaults.

As someone who has integrated FullStory into a production site, I spent
several days doing a careful audit of our forms and redacting fields from
being tracked. FullStory has an excellent, universal account setting to
automatically redact fields based on any CSS selector, so it's very, very easy
to tell it to remove any sensitive information - or even all form fields! - if
that's what the website publisher desires. Out of the box I found that it
correctly blocked credit card fields and passwords correctly, and we were able
to add additional fields that are sensitive.

Again, rightly so that a website publisher may want more information than you
desire, but they could also store your info in plaintext in the database,
making it easy for hackers to exfiltrate as well. Yes, this is another vector,
but hardly the easiest one.

~~~
joosters
It's still a broken process. Are you going to re-audit every future change to
your web site? I doubt it.

The default, as the article suggests, should be to redact all fields, then let
the company opt-in the fields that they really mean to record.

~~~
kevinconroy
If a company is serious about security and privacy, they have to do those
audits for every feature, regardless of if they use these tools. PCI requires
this if you handle money online.

Still, you're right that many companies have a surprising lack of security.
This vector of unintentional exfiltration may pale in comparison to the
intentional mismanagement and lack of security focus internally. Equifax,
anyone?

------
itissid
Read the article. Noob Q. Surely not ALL the browser tabs are vulnerable to
the getting recorded? In other words only the tabs that are connected to
websites that contain these recording JS scripts are vunerable, correct?

~~~
scarmig
Correct. I think there's a caveat if the two different tabs render two
different documents but on the same domain, interactions on each could be
recorded by either tab.

------
tzahola
Is there a browser extension that warns you about the various tracker scripts
a website is utilizing?

~~~
inetknght
The closest I know of would be use of umatrix and general knowledge of which
sites do what activities

~~~
JoshMnem
Umatrix is great.

------
jlgaddis
Anyone know where I can find a list of the domain names used by these
companies are? I want to block everything from all of their domains.

------
phkahler
DAMMIT. Once again the question that immediately come to mind is "Why the FUCK
do browsers facilitate this shit?"

C'mon you stupid web devs on HN tell me again all your excuses to need these
capabilities. Sorry to generalize to all those of you who don't do this, but
many of you still want those capabilities that have opened the door. And those
browser devs... It's like they compete to sell out the users by adding
"features".

~~~
mschuster91
> but many of you still want those capabilities that have opened the door

Rest assured the majority of (web) developers does not like this crap a bit.
Most of the pressure to add hundreds of analytics toolkits, trackers or these
snoopers come from marketing - they (or worse, the C-level execs) get
convinced that they need to integrate tool XYZ to "stay competitive" or
"improve their customer retention" or whatever buzzword goes today, and the
devs at the bottom of the chain are left to implement it.

~~~
cotillion
Sometimes its just laziness.

I was forced to add GTM to a site because it meant marketing could just hand
over the GTM login and a pile of money to another company which could then
provide them with pretty reports on what the customers were doing. The
analytics company promised to not do anything bad so it was OK.

And that was after an incident where the entire site was turned purple by
another external JavaScript...

~~~
mschuster91
> And that was after an incident where the entire site was turned purple by
> another external JavaScript...

lol, what was the root cause? Defacement/scriptkiddie attack or a "background
covering" ad that did not recognize the content area and paint over the whole
screen instead?

~~~
cotillion
The script was for a yearly user survey run by a small company. It has an
awards ceremony attached so I think thats why some marketing people like it.
After the survey ended the script was not removed of course.

Around a year later the site changed color when their script started injecting
a new stylesheet into our site. They never really said what happened only that
they had restored the old version of the script. Maybe some developer pushed
dev code to the old production url or maybe they were hacked.

