The Danger in Email, Sytlesheets, Scripts and Session Replay

Membrane Domain Security Center

https://freedom-to-tinker.com/2017/09/28/i-never-signed-up-for-this-privacy-implications-of-email-tracking/

What happens when you open an email and allow it to display embedded images and pixels? You may expect the sender to learn that you’ve read the email, and which device you used to read it. But in a new paper we find that privacy risks of email tracking extend far beyond senders knowing when emails are viewed. Opening an email can trigger requests to tens of third parties, and many of these requests contain your email address. This allows those third parties to track you across the web and connect your online activities to your email address, rather than just to a pseudonymous cookie.

How it works. Email tracking is possible because modern graphical email clients allow rendering a subset of HTML. JavaScript is invariably stripped, but embedded images and stylesheets are allowed. These are downloaded and rendered by the email client when the user views the email.[2] Crucially, many email clients, and almost all web browsers, in the case of webmail, send third-party cookies with these requests. The email address is leaked by being encoded as a parameter into these third-party URLs.

https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

https://motherboard.vice.com/en_us/article/59yexk/princeton-study-session-replay-scripts-tracking-you
Over 400 of the World’s Most Popular Websites Record Your Every Keystroke

Prominent companies who use the scripts include men’s retailer Bonobos.com, Walgreens.com, and the financial investment firm Fidelity.com. It’s also worth noting that 482 might be a low estimate. It’s likely that the scripts don’t record every user that visits a site, the researchers told me. So when they were testing, they likely did not detect some scripts because they were not activated. You can see all the popular websites that utilize session replay scripts documented by the researchers here.

The Walgreen’s example runs afoul of HIPPA in, oh, so many ways.

List of sites discovered (I bet many, many more are doing it)

https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

Disable all scripting. Disable images. Hell, I’m almost at the point of disabling stylesheets, that’ll be the next tracker if they aint doing it already.

I guess, just use surfraw and parse the output. Or go oldschool and lynx/links.

sidd

This entry was posted in Business, cybersecurity, Education, freedom, Security and tagged , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.
  • RSS The Membrane Domain

    • The Economic Monsters: Inflation and Interest Rates
      by Daniel Brouse Economist In 2006 and 2007, we forecast the impending “great recession”. Our investment advice was to sell all your real estate. If you could not sell it, leverage it to the hilt (so you had your cash out before failure.) Turned out to be an accurate forecast. In 2017 and 2018, we […]
    • Climate Science Special Report: Human Induced
      The Fourth National Climate Assessment (NCA4), Volume I has determined that climate change is being unduly accelerated by human activities. The report is an authoritative assessment of the science of climate change, with a focus on the United States. It represents the first of two volumes of the Fourth National Climate Assessment, mandated by the […]
    • New York City Sues Oil Companies Over Climate Change
      The most likely force to cause a change in climate change is money. New York City is filing a law suit against five major oil companies (BP, Chevron, ConocoPhillips, Exxon Mobil and Royal Dutch Shell), claiming they have contributed to global warming. Mayor Bill de Blasio said the city will seek billions of dollars in […]
  • Stuck inside your castle walls
    Waiting ’til the kingdom falls
    Can’t escape your nightmares
    Regain hope and lose your fears
    youtu.be/mAJzQ3lk7_I
    ...

    View on Facebook

    Why do you think it is…
    Is turns to was?

    youtu.be/r8zKAjn00Y4
    ...

    View on Facebook
  • RSS PhilaNet.com

    • The Squares Of Philadelphia
      Southwest (Rittenhouse) Square, Southeast (Washington) Square, Northwest Square (Logan Circle), Northeast (Franklin) Square and Centre Square (City Hall) all offer something free to do in Philly. Originally planned by William Penn when he laid out the city of Philadelphia, Pennsylvania in 1682, the Squares of Philadelphia are five open-space public parks. Rittenhouse Square in Center […]
    • Earthquake Shakes Parts of Philly
      DOVER, DELAWARE — A Magnitude 4.1 earthquake was recorded 10km ENE of Dover, Delaware. The tremors could be felt from Washington D.C. to New York. No major damage or injuries were reported.
  • RSS NASA Image Of The Day

  • RSS Natural Disasters

  • Categories

  • Archives

Created by: Daniel Brouse and Sidd
All text, sights and sounds © BROUSE
"You must not steal nor lie nor defraud."