This is fun. Does this potentially mean that there analytics firms out there with tons of "screenshots" contained easily demasked credit card info probably sitting somewhere in an s3 bucket? That's a new attack vector I've never thought about.
Exactly! Glad someone is catching my point, the issue is is that people go to the end of the earth to protect databases of credit card information, I doubt the same can be said for a database of screenshots containing equivalent info.
Another big issue I see is I may trust company X with my data but I as a consumer wouldn’t know I’m actually sharing my data with company Y and I think that is something users should be aware of.
What’s the data advantage of taking and sending a screenshot of the app instead of just sending user events (e.g. field filled, field selected, form submitted)?
That's just a small sample of services that allow you to record the user's screen or take screenshots). App session replay software has existed for years, and of course, they capture all the things that are going on the app including checkouts and profile data (unless you flag those screens on the SDK implementation).
Like someone already pointed out, that video or image will likely be stored somewhere (an S3 bucket or some static storage). I think anyone who is implementing these type of SDKs on their app needs to do their due diligence, and not push sensitive data to these third parties.
This write-up doesn't actually state where these unobfuscated images came from, so it's not clear to me where (or whether) there are actually unobfuscated images in Air Canada's system. Tools like Glassbox usually mark PII fields with CSS classes to blur/redact fields when the screenshots are taken. It looks like the author may have found password and credit card fields without these CSS classes and manually recreated what the unobfuscated fields would look like with dummy data, but it's also possible to configure these tools to not log entire pages or directories -- this is how payment pages are usually configured, with screenshotting completely disabled.
If the (anonymous) author simply mocked up what these screenshots _might_ look like if they were saved, that's pretty misleading.
Author here, these are not mockups and if you watch the video linked you can see me replay the session I captured using a https proxy. Hope that clears things up, thanks for your interest!
I was once forced to integrate once such product in our app. We did mask what we thought was the sensitive information. Within days of release, the app was removed from the play-store for privacy violation. Had to remove the SDK to get back in business. So Google does use tools to detect such stuff and this was early 2017.
I was in charge of building this kind of product for another analytics company, this technology is called session replay, and it is used for many use cases, like : UX improvement/ support/ bug detections ...
Most of vendors record keyboard inputs and thus can record password as well as credit card information, there was an affair about it a few years ago [1]. To not have this issue, most of vendors provide a way to not record those information. It requires manual tagging of the website on the element that contains critical content.
But many of session replays vendors have many clients, and don't force or don't verify that all the critical information are masked. This is not GDPR compliant, because when the GDPR apply you need to consent of the user to record his PII, and you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent.
Two things:
- Nowadays on the web most of payment pages are not hosted on the client website, so those analytics tools are not included (but we still have many websites that don't use third party for that)
- This data is not (most of the time) recorded in a structured way, data of inputs is recorded as some element of an HTML, and thus it is not super easy to extract the information at scale
> you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent
Wait, why can’t a website record my sexual orientation with my consent?
How will dating sites work then? Or is there a difference between asking about sexual orientation and asking me about what gender I would like to see / what I am looking for? If there is a difference then what’s the point of not allowing sexual orientation to be stored? From a practical point of view the question phrased like what I am interested in / looking for gives about the same information don’t it?
It’s possible to convert an entire HTML document in its current state to a bitmap using canvas and getComputedStyle (see html2canvas) though I don’t know if this is the method they use.
As far as their claim, it sounds like marketing speak. My guess is they're listening to events and then superimposing them on the UI to mimic a screenshot.
What? You used a porn site that demanded Camera access, and you agreed to it? To each is their own, I guess. But that's not a move I would have done...
What's "their contract" that's prohibiting you from naming the site, apart from a standard EULA that no one reads? Who cares, just name the site?
[+] [-] nemothekid|7 years ago|reply
[+] [-] theappanalyst|7 years ago|reply
Another big issue I see is I may trust company X with my data but I as a consumer wouldn’t know I’m actually sharing my data with company Y and I think that is something users should be aware of.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] rdiddly|7 years ago|reply
[+] [-] theappanalyst|7 years ago|reply
[+] [-] avip|7 years ago|reply
[+] [-] minimaxir|7 years ago|reply
A screenshot literally unstructures the data.
[+] [-] swanson|7 years ago|reply
[+] [-] whoisjuan|7 years ago|reply
https://www.appsee.com/
https://uxcam.com/
https://userx.pro/
That's just a small sample of services that allow you to record the user's screen or take screenshots). App session replay software has existed for years, and of course, they capture all the things that are going on the app including checkouts and profile data (unless you flag those screens on the SDK implementation).
Like someone already pointed out, that video or image will likely be stored somewhere (an S3 bucket or some static storage). I think anyone who is implementing these type of SDKs on their app needs to do their due diligence, and not push sensitive data to these third parties.
[+] [-] oliveshell|7 years ago|reply
“Improved retention,” indeed.
[+] [-] kslfkkdkdndnn|7 years ago|reply
[+] [-] eastbayjake|7 years ago|reply
If the (anonymous) author simply mocked up what these screenshots _might_ look like if they were saved, that's pretty misleading.
[+] [-] theappanalyst|7 years ago|reply
[+] [-] amolgupta|7 years ago|reply
[+] [-] trhway|7 years ago|reply
[+] [-] franzwong|7 years ago|reply
[+] [-] theappanalyst|7 years ago|reply
[+] [-] SmellyGeekBoy|7 years ago|reply
[+] [-] polote|7 years ago|reply
Most of vendors record keyboard inputs and thus can record password as well as credit card information, there was an affair about it a few years ago [1]. To not have this issue, most of vendors provide a way to not record those information. It requires manual tagging of the website on the element that contains critical content.
But many of session replays vendors have many clients, and don't force or don't verify that all the critical information are masked. This is not GDPR compliant, because when the GDPR apply you need to consent of the user to record his PII, and you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent.
Two things: - Nowadays on the web most of payment pages are not hosted on the client website, so those analytics tools are not included (but we still have many websites that don't use third party for that) - This data is not (most of the time) recorded in a structured way, data of inputs is recorded as some element of an HTML, and thus it is not super easy to extract the information at scale
[1] https://freedom-to-tinker.com/2018/02/26/no-boundaries-for-c...
[+] [-] codetrotter|7 years ago|reply
Wait, why can’t a website record my sexual orientation with my consent?
How will dating sites work then? Or is there a difference between asking about sexual orientation and asking me about what gender I would like to see / what I am looking for? If there is a difference then what’s the point of not allowing sexual orientation to be stored? From a practical point of view the question phrased like what I am interested in / looking for gives about the same information don’t it?
[+] [-] mileszim|7 years ago|reply
[+] [-] mr_toad|7 years ago|reply
[+] [-] lwansbrough|7 years ago|reply
[+] [-] dopeboy|7 years ago|reply
As far as their claim, it sounds like marketing speak. My guess is they're listening to events and then superimposing them on the UI to mimic a screenshot.
[+] [-] asudosandwich|7 years ago|reply
Can apps screenshot what's displayed in Safari in that case?
[+] [-] polote|7 years ago|reply
[+] [-] sexyrouter|7 years ago|reply
[deleted]
[+] [-] madeofpalk|7 years ago|reply
What's "their contract" that's prohibiting you from naming the site, apart from a standard EULA that no one reads? Who cares, just name the site?
Honestly, I'm having trouble believing this.
[+] [-] SmellyGeekBoy|7 years ago|reply
[+] [-] aasasd|7 years ago|reply
Yeah right bud.
[+] [-] notafraudster|7 years ago|reply