[DataGata]

It should be reassuring to know that most of the things you interact with are actually too bandwidth constrained to care about those things, and the algos you interact with are fairly obvious and explicit (Feeds, curated things, etc)

[nja]

I used to think this, until I happened across FullStory. With that tool you can replay a website visitor's exact session as if it was recorded live on video -- everything they typed (even if it was cleared and never sent in a request), where/when clicks happened, the contents and response of every request, etc.

As a backend engineer, I had no idea that frontend monitoring was this advanced, but apparently it is. So now we all have to be extra paranoid, because _any_ website could be using this tool to "spy" on everybody.

Of course, it _was_ very helpful to us in tracking down some issues (ever tried to tell a customer how to send you a HAR?). And I assume that operating with an adblocker and blocking nonessential cookies will prevent or hamper the output for us more technical types. Even so...

[4ggr0]

> everything they typed (even if it was cleared and never sent in a request)

Okay, wow, that sounds rough...so in a way, phishing attacks don't even require you to login anymore, just typing the password or maybe 75% of it is enough to get you.

[Mavvie]

That's not new, is it? You could always have an onchange/oninput handler on the login fields and send it to your server.

[uoaei]

Back when Facebook made their huge update to convert to a one-page-app, it was pretty obvious they were doing this because on tenuous connections the interactions with the text would be very strange, as if they are caching your text and operating on it server-side using commands sent from client-side.

[jfrunyon]

Uhh... yeah, just typing the password (or letting your password manager autofill when you get cache poisoned or whatever) has always been enough to get you. onkeydown has existed longer than phishing.

[vb6sp6]

This isn't reassuring at all. People also said the gov didn't have the bandwith\storage\processing to record every call. Then we found out it was also happening with our emails too

[lobocinza]

It's not and even if it were it could be pre-processed locally as to reduce the data volume. It's safe to assume that everything you do on Instagram, Tik Tok is taken into account. Those are spyware and will intrude on the filesystem, on the clipboard history and wherever else they can.