logo
logo

Covert 'Replay Sessions' Have Been Harvesting Passwords by Mistake

avatar
Rosalie Lee
img

But some go much further than what you'd reasonably expect, using so-called session replays to create a detailed log of everything you do and type on a site.

But the Princeton research group that first published findings about session replay scripts has uncovered a troubling series of situations where seemingly well-intentioned safeguards fail, leading to an unacceptable level of exposure.

The investigation started with Mixpanel, a product analytics company that offers a comprehensive user data collection service known as Autotrack.

Autotrack isn't a session replay script, but it collects whole-hog user interaction data so that Mixpanel's clients can query later for any information about their users.

Mixpanel corrected the password flaw and issued an SDK update, but the Princeton researchers—Steven Englehardt, Gunes Acar, and Arvind Narayanan—say they realized that these types of password redaction failures were probably a larger problem.

Even after Mixpanel issued fixes for the password retention issue, the Princeton researchers still found situations in which Autotrack recorded passwords.

collect
0
avatar
Rosalie Lee
guide
Zupyak is a free content platform for publishing and discovering stories, software and startups.