How To: Mitigating Web Session Replay Information Leakage



Background


There has been a lot of talk in the news lately about security issues surrounding web-based session replay.

The issue is a simple one: many popular websites are now running scripts that record every keystroke and every mouse movement, allowing them to replay your entire visit to their website, as though they’re looking over your shoulder.

However, that data’s being collected and retained by third parties, not the websites themselves.

And the information includes passwords, personally identifying information (PII), financial information, health information (PHI), and anything else you might type in.

The best writeup I’ve seen to date is over at Freedom to Tinker. It’s concise, and shows you exactly what’s going on.



Quick mitigation


The easiest mitigation is to disable Javascript execution altogether, but this isn’t typically feasible in an enterprise setting. Blocking third-party cookies isn’t enough, as you must also disable the ability to run third-party Javascript, and there’s little stopping those wishing to collect the data from putting the Javascript inline.

The next best thing would be to block outbound traffic to the following domains (extracted from the list presented above):

Hotjar.com
Clicktale.com
Sessioncam.com
Smartlook.com
Userreplay.net
Fullstory.com
Mouseflow.com
Inspectlet.com
Decibelinsight.net
Quantummetric.com
Yandex.ru
HowToBlue Team