VPN deals Advertisement

Beware Session Replay Scripts on VPN websites

One of the main reasons to use a VPN is to provide privacy while online. It may, therefore, come as something of a surprise to learn that many VPN s not only track visitors to their websites, but share this information with extensive advertising and analytics networks.

Even more worrying is the fact that the information collected goes far beyond mere tracking. Session replay scripts have hit the headlines recently because they record every interaction a visitor makes with the website.

According to a recent report by Princeton University researchers:

These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

Even when text is inputted into a text field but not sent, session replay scripts will still record the data. Alarmingly, a follow-up report found that these scripts can also leak passwords to session replay companies:

In our research we found password leaks to four different third-party analytics providers across a number of websites. The sources are numerous.

The video above shows what information session replay company FullStory can collect when you visit a website that uses its scripts.

Bad as all this might sound, it gets worse…

This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.

FullStory is one of these companies. Other top session replay companies named in the report are Yandex, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam.

It is also safe to assume that none of this highly personal data which is collected (and which can include passwords, remember) will be safe from criminal hackers.

Recording services increase the exposure to data breaches, as personal data will inevitably end up in recordings. These services must handle recording data with the same security practices with which a publisher would be expected to handle user data.

We provide a specific example of how recording services can fail to do so…. The vulnerabilities we highlight.. are inherent to full-page session recording.

VPN websites and tracking

The fact that many VPNs track users using tools such as Google Analytics has always been a concern. This is why we have started to include a section on website tracking as part of our standard review process.

We understand that in most cases the VPN is not acting in any way maliciously. The information gained in this way provides them with a great deal of insight into how visitors interact with their website. This allows a VPN to improve the design of its website, which, of course, helps to improve its profits.

It is also important to understand that website tracking has no impact on your privacy when using the actual VPN. It is a basically a separate issue (although passwords leaked thanks to session replay scripts might compromise your actual VPN sessions!).

At BestVPN.com, however, we feel that extensive website tracking by companies that promise to care about your privacy is very bad form. It also does little to inspire trust in a provider, in a business where trust is everything.

VPNs and session replay scripts

If the use of regular tracking scripts by VPN websites is irritating, the use of session replay scripts is frankly unforgivable.

The Princeton researchers have released a list of almost 10,000 websites “which embed scripts from analytics providers that offer session recording services.”

As the researchers note, “the appearance of a website on this list DOES NOT necessarily mean that session recordings the use if scripts by these companies nevertheless very concerning.

A simple search of the downloadable .csv file (mainly for the term “VPN”) turned up 17 VPN services, plus some websites that act in competition to BestVPN.com. There may well be others on there with less obvious names, but I do not have time to manually sift through all 10,000 domains!

Of those VPNs, only two are listed as having “evidence of session recording.” These are HideIP.me and VPN Tunnel, neither of which have been reviewed by us. Do note, however, that this is not evidence that session recoding was not performed by the others on the list – only that there is no evidence for it.

Most of the VPNs on the list now appear to have now removed tracking by session replay companies, so we can only hope their use was a mistake made in good faith and that lessons have been learned.

Astrill Session Replay

Astrill still uses a tracking script from Hotjar (above), while HideIP.me uses a confirmed session replay script from Yandex.

Protect yourself against session replay scripts

As always, it is best not to rely on others when it comes to protecting your privacy. Good news is that most ad-blocker and script-blocker browser add-ons will protect you from session repay scripts.

Ad-blockers mostly work using bock-lists, however, so do please be aware that:

Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

I recommend using the uBlock Origin ad-blocker for Firefox with Fanboy’s Enhanced Tracking List, in combination with the EFF’s Privacy Badger add-on. Note that Privacy Badger on its own should block session replay scripts, but it works best in combination with a good ad-blocker.

Script-blockers such uMatrix and NoScript will also work very well, although most users will find them too complex for day-to-day use.

Image credit: By REDPIXEL.PL/Shuterstock.

Written by: Douglas Crawford

With over five years’ experience at the sharp end of the VPN industry, Douglas is a recognized cyber-privacy expert. His articles have been published by numerous technology outlets, and he has been quoted by the likes of The Independent, Ars Technica, CNET and the Daily Mail Online.


  1. Pooter

    on May 22, 2018

    I don't have a vpn but I thought I'd install "the uBlock Origin ad-blocker for Firefox with Fanboy’s Enhanced Tracking List" to Firefox - it sort of broke your own site, with most pages just showing as text! I had PrBadger and Disconnect and HTTPS Everywhere running. One at a time I disabled Disc., Fanboy's list, the uBlock itself, re-starting FF each time, but just as bad. All other sites were fully functional, except BestVPN! I've restored my previous - HTTPS, Badger, Disconnect, BestVPN coming back, I think Badger is re-learning which is ok itself.

    1. Douglas Crawford replied to Pooter

      on May 23, 2018

      Hi Pooter, Hmm. Interesting. I also run uBlock Origin with Fanboy’s Enhanced Tracking List in Firefox (along with pretty much all the default lists!). When I visit bestvpn.com the social media buttons and YouTube videos are hidden, but everything else works ok. So maybe it isn't uBlock Origin? Anyway, Privacy Badger + Disconnect + HTTPS Everywhere should provide you with more than enough protection.

    2. Pooter replied to Pooter

      on May 23, 2018

      in Firefox I have now removed uBlock. I was still getting most of your pages only as text, then I went to preferences and cleared saved browser data - cookies, cache, and that improved things a lot, though still some text only pages. I've opened BestVPN in Chromium, which is a bit less strict, and it works fine. So I think the problem is in my Firefox, maybe I over-confused it yesterday with too many add-ons.

  2. Douglas Crawford

    on March 5, 2018

    Hi micheal, But using a VPN can definitely improve this situation...

  3. Casey Wrey

    on March 3, 2018

    Ironically, according to Ghostery, BestVPN has 5 trackers on this page: • DoubleClick • Google Dynamic Remarketing • Google Analytics • Matomo (formerly Piwik) • GA Audiences

    1. Douglas Crawford replied to Casey Wrey

      on March 5, 2018

      Hi Casey and Larry, I have raised this issue with the team and it has been tabled for discussion. In the meantime, please remember that we have always actively encouraged our readers to use ad-blocker and anti-tracking browser add-ons.

  4. Larry

    on March 3, 2018

    Privacy badger shows 11 potential trackers on this site; interesting.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.