Beware of information leakage risk of third party plugins on your website

HKCERT is aware that an information security research team has published a study on "session replay" collecting user activities and information on many third party plugins embedded websites. There are several Hong Kong websites involved. These third party plugins are mainly for analytics and marketing purposes provided by service providers such as marketing or advertising agencies.

The study shows that user activities and sensitive information including password and credit card information can be collected by these third party plugins and may even be sent back to their servers. If your companies have embedded these plugins on your websites, we advised you to review their usage and understand what type of data collected. Because if the plugins or these service providers are compromised, sensitive information of your customers will be leaked, which can in turn affect your reputation or be possibly liable to litigations.

Advices:

1. Review the functions and data being collected by third party plugins embedded in your websites.
2. Avoid applying third party plugins on collecting sensitive information such as password or credit card information, and avoid sending unnecessary sensitive information for other parties.
3. Ensure the third party plugins also employing HTTPS for transfering data, especially if your website is configured with HTTPS.

Reference:

1. No boundaries: Exfiltration of personal data by session-replay scripts
2. Over 400 of the World's Most Popular Websites Record Your Every Keystroke, Princeton Researchers Find
3. Keystroke recording scripts found running on numerous Hong Kong websites, say researchers