- Nov 29, 2022, 12:46 PM
- 7 minutes
In addition to creating dynamic and interactive web content, JS collects users' information that advertisers and hackers can take advantage of.
The meta tags contain links to scripts that run after you open a page. A code is triggered when a user visits a site and identifies the user's browser.
Other scripts can start automatically and read information about your screen and activity on the site.
User's interests. It works through a tracking code. This code helps advertisers, webmasters and marketers analyze visitors and their actions on the site. It includes information about how long users read content, which ads they click on, and so on. Then the information goes to Google Analytics, Yandex Metrica, and other analytics systems.
The screen code object holds information about a user's screen. The site owners can know your device's screen size and colors.
The navigator.plugins code objects collect information about plugins and their versions.
Words you type. If this code is already built into the site or hackers have built it in, they can track text fields that users fill in.
This way, for example, hackers can find out bank card details through a phishing payment site.
Camera Information. Special codes can give access to the camera or microphone of your device.
For example, site owners can access your device's microphone and back & front cameras and see what a user is doing.
Site owners can also get information such as users' viewed pages, their activity, how users interact with phone numbers given on a site, and how much time they spend on a site.
Some popular services are Google Analytics, Hotjar, Statcounter, and others.
These services show how many people sign in, what items they buy, add to the shopping cart, or just look at, and so on.
Such analytics systems are installed on almost all sites. They are completely legal and controlled by large companies. Analytics systems monitor only user behavior and do not store personal information. So the site owners cannot link users' online activity with real people. They only get aggregated data. And if they try to obtain users' information and sell it, they will be fined or banned.
The purpose of such systems is to make websites convenient and useful and analyze users' actions on a site.
For instance, video hosting sites will not work — the main page will not load. Social networks, online maps, food delivery services, etc., will show empty pages.
Metrics also help identify problems of the website and areas for improvement.
For example, the Hotjar service creates a sitemap showing how a user engages on a specific part of the page. If there is a non-clickable element that users often click on, developers will fix it.
Analytics systems show how visitors interact with a website. The owners of a site will see all user's clicks, cursor movements, the time a person spends on each part of the page, and issues arising in certain browsers or devices.
For instance, if some function does not work in the browser — the site owner will see and fix it.
Implementing malicious JS code. It is called cross-site scripting (XSS). This code can process and store users' confidential information.
For example, if a hacker adds a malicious code to an online banking site, they will get login data and other user information.
Carrying out SQL injection attack. SQL injection is an injection attack wherein hackers get access to the databases of a site and change or steal user information.
Cross-site Request Forgery Attack (CSRF). CSRF is an attack carried out by using a scam website or script. It forces a user to execute unwanted actions on a trusted site to which the user is logged in. The user must click the phishing link for the attack to work.
For example, a person signs in to a banking account and clicks a hacker's link with a request to transfer money to the thief's account. The bank will process the transaction without the user's knowledge because the user is signed in.
Visit sites with HTTPS/SSL encryption. Hackers cannot implement malicious JS codes into such a site and will not be able to steal anything. But if a site with HTTPS initially contains malicious JS code — you will not be able to protect yourself.
Use ad blocker extensions to partially avoid surveillance, for example, AdBlock, uBlock Origin, Ghostery, AdGuard, and others.
They block unnecessary scripts and leave those that improve websites and ads.