Keystroke recording scripts found running on numerous Hong Kong websites, say researchers

Several Hong Kong websites are running third-party scripts which can potentially capture the keystrokes of site visitors, according to a study by researchers at Princeton University.

The sites may have no knowledge of the nature of the scripts. According to a 96,000-entry spreadsheet compiled by the researchers, the local websites of the Hong Kong Trade Development Council, Watsons, Lexis Nexis, Lane Crawford, GoGoVan, Spacious, Expat Living, AXA, Air France, and Air New Zealand are affected, among others.

The research published last week looked into seven of the top “session replay” companies, who specialise in gathering user data by recording the activities of website visitors. The scripts – usually used to collect information about the behaviour of visitors – may be inserted into websites to track mouse movements, key strokes and scrolling. The information is collected by a third party and made available to the client.

The data services studied included Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam. The researchers found the services were in use on 482 of the Alexa top 50,000 websites in the world.

The Princeton researchers tested scripts from six of the seven companies and found that passwords can be included in session recordings, and that sensitive data inputted by users was redacted in an incomplete and imperfect way.

Leo Weese, a Hong Kong-based IT security expert and privacy advocate, told HKFP that such scripts are built by “sketchy” ad companies, and firms often embed them on their websites in an effort to gather data: “Ad companies mine and sell the data, give some of it back to the websites as ‘analytics insights’.”

“I think the biggest threat is that the data is indiscriminately collected and sent to the ad companies. They suddenly have your personal information, emails, passwords, everything you type or paste into a web form even if you don’t click send or submit,” he said.

Many of the websites with the .hk regional domain embedded scripts from Hotjar.

Most of entries mentioned in the spreadsheet noted that analytics scripts exist on the websites, though there was no evidence of session recording.

session replay script — Summary of the automated redaction features for form inputs enabled by default from each company. **Filled circle:** Data is excluded; **Half-filled circle:** equivalent length masking; **Empty circle:** Data is sent in the clear
* UserReplay sends the last 4 digits of the credit card field in plain text
† Hotjar masks the street address portion of the address field. Photo: freedom-to-tinker.com

The researchers said that Hotjar delivers the publisher’s content over HTTP, meaning data that would normally be protected by HTTPS – a more secure protocol – would be vulnerable to passive network surveillance.

“This allows an active man-in-the-middle to inject a script into the playback page and extract all of the recording data,” the researchers wrote.

Even if you’re visiting an HTTPS site, your data might be sent over the network in the clear! Not a failure of HTTPS — it’s because the 3rd party doesn’t enable HTTPS when the publisher logs in to replay your session. pic.twitter.com/ZlL1ireviO
— Arvind Narayanan (@random_walker) November 15, 2017

In one particular case, the legal services company LexisNexis had scripts from the company Decibel Insight running – the researchers noted that there was “evidence of session recording.”

On its own website, Decibel Insight features LexisNexis as a case study for its services.

No Hong Kong government websites were found in the spreadsheet entries. Weese said: “I assume the internal process of adding any external script to a site inside of .gov.hk domains is quite a nightmare.”

Some of the Hong Kong websites with session replay scripts that the spreadsheet mentioned include: