Analytics software that lets companies track what you see and do on a website has another worrisome ability: it can scoop up your passwords, too.
The problem involves “session replay” scripts and other analytic tools that can record how you interact with a website. Companies can install the scripts to log your keystrokes, mouse movements, and scrolling activity across their web pages, all in an effort to optimize their internet presence.
If that doesn’t sound creepy enough, the real danger is how the software can vacuum up any sensitive data entered into the website. Back in November, three Princeton researchers studied how the session replay scripts can record name, email, phone number and credit card information, despite safeguards that should have redacted the details from the data collection.
On Monday, the researchers said the tools have another flaw. They can unintentionally record passwords from websites that have a “show password” feature attached to a login field.
The Princeton researchers began investigating the issue when an analytics tool from one provider known as Mixpanel reported accidentally recording the password information from websites. Despite a fix, the Mixpanel tool continued to fetch the password data, the researchers said in their latest report.
The password leak occurs when a user clicks on the show password feature in a website’s login field. This triggers the website to display the password in cleartext, letting the Mixpanel tool collect it. “The collection happens regardless of whether the user ultimately submits the login form,” the researcher said.
Two other analytics providers, FullStory and SessionCam, did the same, accidentally capturing the sensitive data over the show password feature.
Mixpanel, Fullstory, SessionCam didn’t immediately respond for comment. But they told the researchers that fixes are on the way, and that all the password data collected was deleted.
Nevertheless, the researchers worry that the website tracking is a “security disaster waiting to happen [since] there is no foolproof way for these third party scripts to prevent password collection, given their intended functionality,” they wrote.
The good news is that you can stop the monitoring over your browser by installing ad blocking software such as uBlock Origin.