Hundreds of web firms are tracking every single keystroke made by visitors, a study from Princeton University has suggested.
The technique - known as session replay - is used by companies to gain an understanding of how customers use websites.
More than 480 websites used the technique, according to the study.
Experts questioned the legality of using such software without user consent.
"These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers," the researchers said in a blog.
"Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behaviour," they added.
The researchers looked at seven firms that offer session replay software - FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar and Yandex.
They found that 482 of the world's top 50,000 sites used scripts provided by one of these firms.
Firms using the software included the UK's news website the Telegraph, Samsung, Reuters, US retail giant Home Depot and CBS News.
Paul Edon, director at security firm Tripwire said: "The first area of concerns here is the legality of recording people's keystrokes without first informing them of the fact.
"If these websites do not alert the user to the fact that they are recording keystrokes, then I would class this under 'nefarious activity' as it is being less than honest, and the information is being collected without the user's knowledge."