The Danger in Email, Sytlesheets, Scripts and Session Replay

Membrane Domain Security Center

https://freedom-to-tinker.com/2017/09/28/i-never-signed-up-for-this-privacy-implications-of-email-tracking/

What happens when you open an email and allow it to display embedded images and pixels? You may expect the sender to learn that you’ve read the email, and which device you used to read it. But in a new paper we find that privacy risks of email tracking extend far beyond senders knowing when emails are viewed. Opening an email can trigger requests to tens of third parties, and many of these requests contain your email address. This allows those third parties to track you across the web and connect your online activities to your email address, rather than just to a pseudonymous cookie.

How it works. Email tracking is possible because modern graphical email clients allow rendering a subset of HTML. JavaScript is invariably stripped, but embedded images and stylesheets are allowed. These are downloaded and rendered by the email client when the user views the email.[2] Crucially, many email clients, and almost all web browsers, in the case of webmail, send third-party cookies with these requests. The email address is leaked by being encoded as a parameter into these third-party URLs.

https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

https://motherboard.vice.com/en_us/article/59yexk/princeton-study-session-replay-scripts-tracking-you
Over 400 of the World’s Most Popular Websites Record Your Every Keystroke

Prominent companies who use the scripts include men’s retailer Bonobos.com, Walgreens.com, and the financial investment firm Fidelity.com. It’s also worth noting that 482 might be a low estimate. It’s likely that the scripts don’t record every user that visits a site, the researchers told me. So when they were testing, they likely did not detect some scripts because they were not activated. You can see all the popular websites that utilize session replay scripts documented by the researchers here.

The Walgreen’s example runs afoul of HIPPA in, oh, so many ways.

List of sites discovered (I bet many, many more are doing it)

https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

Disable all scripting. Disable images. Hell, I’m almost at the point of disabling stylesheets, that’ll be the next tracker if they aint doing it already.

I guess, just use surfraw and parse the output. Or go oldschool and lynx/links.

sidd

This entry was posted in Business, cybersecurity, Education, freedom, Security and tagged , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.
  • RSS The Membrane Domain

    • Sea Level Rise and Property Values
      “Disaster on the Horizon: The Price Effect of Sea Level Rise” Asaf Bernstein, Matthew Gustafson, and Ryan Lewis. Sea level rise coming home, the market is paying attention (Halleluia! who woulda thunk it. The real estate market, especially on the coasts is a wretched hive of villainy)) The first sentence of the abstract is “Homes […]
    • Climate Change And Credit
      by Daniel Brouse Part of a series of articles on Climate Change And Flood Insurance Homeowners living in flood plain have learned the hard way that climate change has effected their ability to get a mortgage. As the sea level rises and extreme weather events intensify, homeowners have found their insurance rates increasing or their […]
    • Uber Paid Ransom and Hid Hack
      Uber Paid Hackers to Delete Stolen Data on 57 Million People * Company paid hackers $100,000 to delete info, keep quiet * Chief Security Officer Joe Sullivan and another exec ousted Bloomberg reports, that Uber was hacked of personal data from 57 millions drivers and riders. Then, instead of reporting the crime, they paid extortion […]
  • Happy Holidays from KingArthur .com
    youtu.be/277gd_JLSU0
    ...

    View on Facebook

    So, you know…
    When we witness the Lord sow snow
    See a glimpse of beauty
    Ohhhh…
    Snow
    Turn the dark to bright
    Absorb the sound
    Reflect the light
    Peace is found
    Clinging tight
    So, Lord, sow snow!
    Ohhh….
    Snow
    Looking back at my track
    Into the virgin snow I go
    So, Lord, sow snow
    Ohhh…
    Snow
    Let the crystals flow
    Ohhh…
    Snow

    youtu.be/PEk1No-Jvi0
    ...

    View on Facebook
  • RSS PhilaNet.com

    • The Squares Of Philadelphia
      Southwest (Rittenhouse) Square, Southeast (Washington) Square, Northwest Square (Logan Circle), Northeast (Franklin) Square and Centre Square (City Hall) all offer something free to do in Philly. Originally planned by William Penn when he laid out the city of Philadelphia, Pennsylvania in 1682, the Squares of Philadelphia are five open-space public parks. Rittenhouse Square in Center […]
    • Earthquake Shakes Parts of Philly
      DOVER, DELAWARE — A Magnitude 4.1 earthquake was recorded 10km ENE of Dover, Delaware. The tremors could be felt from Washington D.C. to New York. No major damage or injuries were reported.
  • RSS NASA Image Of The Day

    • New Research Launches to Space Station Aboard SpaceX Resupply Mission
      The two-stage Falcon 9 launch vehicle lifts off from Space Launch Complex 40 at Cape Canaveral Air Force Station carrying the Dragon resupply spacecraft to the International Space Station. Dragon will bring supplies, equipment and new science experiments for technology research to the orbiting laboratory.
  • RSS Natural Disasters

  • Categories

  • Archives

Created by: Daniel Brouse and Sidd
All text, sights and sounds © BROUSE
"You must not steal nor lie nor defraud."