Would you give your account ID, password, account numbers, email address, home address, and all your other sensitive personal information to random strangers? No? Are you sure? Scripts embedded in a web page or app allow the script provider to record every keystroke and every mouse movement you make on the page.
So why are so many of the scripts on account management pages hosted by 3rd parties?
The “Never-Event” of web and app design
The last place you EVER want to see 3rd party trackers and scripts then is on a site’s account management pages.
Like this from Ring:
When you create your Ring account more than a dozen 3rd parties are looking over your shoulder as you enter your email address and password. Unlike you, those scripts actually can read the characters in the password field as you type them. Ironically, Ring sells home security. (Not to pick on Ring specifically since this problem is ubiquitous. A friend who was considering Ring asked me to look at their site.)
As you ponder this, consider that any security audit would ensure that the site or app properly encrypts things like passwords and security answers so they cannot be rendered back to plaintext if the data is stolen. But if that same site or app owner gives a dozen or more 3rd parties access to every form field on an account management page, that 3rd party sees the data in plaintext as you type it and can capture it. There’s no need to steal it from the site owner’s database when the site or app owner simply gives access to it away. Who audits the 3rd party? No average user even knows the 3rd parties are lurking on the page so there is no market pressure to hold 3rd parties accountable and that’s by design.
What could possibly go wrong?
We know without a doubt that lots of malware makes it into the ad delivery pipeline, and the value of a script on an account management page is orders of magnitude above the most valuable ad placement. Have you ever heard of an incentive like that going untapped? It would be wise then to anticipate that scripts designed to run silently behind the scenes might also deliver malware or siphon off sensitive account data.
If we accept the premise that unaccountable, unfettered access to account credentials has value, the next question is whether this is more valuable on some sites than others? What’s your definition of “sensitive” or “personal” data? Does DNA count? Should someone you plan to entrust with your DNA invite 3rd parties to watch your session as you create your account?
Does data from “smart” sex toys meet the definition of sensitive or personal?
But a better insight into how valuable account credentials are lies in the research finding that some 40% of us use the same password across all sites. The nightmare scenario isn’t that some hacker gets access to your DNA or sex toy data. It is that your login credentials are captured by 3rd parties who can then use them to hack into this and perhaps many other of your accounts. “Think globally, act locally” isn’t just for environmentalists anymore.
Isn’t this necessary?
In case you are wondering, Amazon gives us an example of what an account management page should look like as reported by Privacy Badger and NoScript. Zero 3rd party scripts or trackers on the account creation page is what you want to see. Same for the profile pages and account recovery page.
Too bad to be true
When I’ve pointed this out in the past many people respond that the risk can’t possibly be that great, that obvious and yet that pervasive. “Someone,” they say, “would have noticed? Right? Doesn’t that call into question the security of, well, pretty much everything on the Internet?”
Uh, yeah. That’s kinda my point.
And to the incredulous I say “Behold Mouseflow” because seeing is believing:
Mouseflow captures visits to a web site and can replay them in real time exactly as the user experienced it, including every page element, every character typed, every mouse movement and click. Mouseflow secretly captures a screencast of your session that is as good as Camtasia, as you can see in the linked video. Just be sitting down when you see it for the first time.
The Mouseflow business model requires them to store all this data for later replay to the site owner. Their Privacy Policy applies almost exclusively to their customers but fortunately they do define their responsibilities to the non-members whose data they collect: “Mouseflow collects information under the direction of its customers, and has no direct relationship with the individuals whose data it may process.”
In another video, Mouseflow specifically demos analysis of an account creation page. The video shows that they have captured all the form data typed by the user in order to replay it to the site owner, and show the user opting not to analyze the password field that is captured. Whether the site owner uses it or not, Mouseflow has access to the account ID, the password, mother’s maiden name or whatever the account recovery question and answer is, and potentially anything in the account creation, recovery, and management pages.
What’s the motivation?
But why would anyone put analytics on an account creation page in the first place?
- If we assume a site’s account creation page is a potential hurdle to signing up new users then it’s the perfect page to analyze.
- If we assume 3rd parties are secretly capturing login credentials of everyone to improve their cross-site tracking and correlation, then it’s the perfect page to analyze.
This gives rise to some interesting questions.
When there is zero difference in the client-side behavior we’d expect from the vendor given these two scenarios, how do we protect from the second one, let alone detect it in the first place?
Given the value of capturing the account credentials, account recovery data, and personally identifiable information of hundreds of millions of users for privacy-invasive surveillance marketing, and given the ubiquity of 3rd party scripts embedded in account management pages that fully enable that exact capability, should we proceed on the assumption this is not happening or that it is?
Given the value of the information 3rd party scripts can collect from account management pages it would be the largest amount of Internet revenue ever left on the table if access through script placement on account management pages is not being sold.
Of all the vendors running script on account management pages the only one accountable to you is the site or app owner, but there are sometimes 20 or 30 3rd parties running scripts on the account management pages. There’s nothing special about Mouseflow and any of the scripts on the page can do what it does. Why even consider exposing that data to random secret 3rd parties? The site or app owner would have to be either extraordinarily ignorant of the implications and do so by accident and for free, or else it is deliberate and for profit.
Advice
Even if we don’t object to 3rd party scripts on content pages,
they should never, ever, EVER
be present on account management pages.
Yet this practice is ubiquitous and exists without public objection. I don’t know about you but I’m thinking that should probably change. Personally, I’ll be contacting site owners to object about 3rd party scripts on account management pages. Want to join me? If you don’t know how to inspect the pages for scripts, contact me. I’m happy to help.
[…] blog post “All Your Accounts Are Belong To Us” last July described how the presence of 3rd party scripts on account creation, login, […]