All Vendors
chat

TawkTo

TawkTo operates as a live chat platform with severe signal corruption and competitive intelligence risks. Cross-domain tracking, behavioral biometrics, session replay, and consent bypass create maximum legal exposure. The 100% CAC subsidization score reflects visitor conversations and behavioral data becoming competitor intelligence.

272 IOCs8 detections38% pre-consent5 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what TawkTo discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

8 detections across 5 sites38% pre-consent activity
HIGH

Pre-Consent Activity

TawkTo was observed loading and executing before user consent was obtained on 38% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Runtime evidence confirms C01/C06/C07/C08/C09/C10 activation

Customer Impact

What This Means For You

Chat conversations become competitor intelligence. Visitor questions about pricing, features, and implementation timelines captured in TawkTo transcripts are accessible to competitors using the same platform. Legal holds 100% exposure risk from consent bypass and cross-domain tracking. Session replay captures form fills and sensitive interactions.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use TawkTo

  • Immediate removal of TawkTo chat widgets
  • Legal review of chat transcript data retention
  • Audit CRM integrations for conversation data imports
  • Notify DPO of consent bypass and cross-domain tracking

If You're Evaluating TawkTo

  • Self-hosted chat alternatives with zero data sharing
  • First-party chat infrastructure on owned domains
  • Consent-compliant visitor engagement tools

Negotiation Leverage

  • TawkTo creates unlimited legal liability through consent bypass and cross-domain tracking
  • 100% CAC subsidization means chat conversations train competitor prospecting
  • Session replay and behavioral biometrics violate privacy controls
  • Chat transcripts accessible to competitors on shared platform
  • Removal required immediately for GDPR compliance
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Bypasses consent controls to capture chat data regardless of user preferences

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures typing patterns and interaction behaviors for identity resolution

BTI-C07Session Recording

Full session replay

Impact: Records visitor sessions including chat transcripts and form interactions

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Tracks visitors across multiple domains and properties

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Activates before consent mechanisms, defeating privacy controls

BTI-C10Fingerprinting

Device identification

Impact: Creates persistent visitor profiles across sessions and devices

IOC Manifest

IOC Manifest

270 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.tawk.to/wp-content/plugins/ele-custom-skin/assets/js/ecs.js*
Tracking script
TRACK
*www.tawk.to/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/ele-custom-skin/assets/js/ecs_ajax_pagination.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/happy-elementor-addons/assets/vendor/dom-purify/purify.js*
Tracking script
TRACK
*www.tawk.to/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/tawkto-signup-form/includes/js/jquery.validate.password.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/tawkto-signup-form/includes/js/jquery.validate.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/tawkto-signup-form/includes/js/jquery.cookie.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/tawkto-signup-form/includes/js/script.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/happy-elementor-addons/assets/js/extension-reading-progress-bar.js*
Tracking script
TRACK
*www.tawk.to/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/js/webpack.runtime.js*
Tracking script
TRACK
*embed.tawk.to/*/18nms7gql*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.js*
Tracking script
TRACK
*www.tawk.to/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor-pro/assets/js/frontend.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/happy-elementor-addons/assets/js/happy-addons.js*
Tracking script
TRACK
*www.tawk.to/wp-includes/js/jquery/ui/core.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor-pro/assets/js/elements-handlers.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/js/frontend.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/js/frontend-modules.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/ajax-search-pro/js/min/jquery.ajaxsearchpro-sb.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/js/lightbox.*.bundle.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/lib/dialog/dialog.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/lib/share-link/share-link.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/js/section-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.*.bundle.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor-pro/assets/js/nav-menu.*.bundle.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor-pro/assets/js/animated-headline.*.bundle.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/js/text-editor.*.bundle.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor-pro/assets/js/media-carousel.*.bundle.js*
Tracking script
TRACK
*www.tawk.to/wp-content/plugins/elementor/assets/js/accordion.*.bundle.js*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/js/twk-app.js*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/js/twk-vendor.js*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/js/twk-runtime.js*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/js/twk-main.js*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/js/twk-chunk-common.js*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/js/twk-chunk-vendors.js*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/languages/en_dev.json*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/languages/en.json*
Tracking script
TRACK
*embed.tawk.to/_s/v4/app/*/js/twk-chunk-*.js*
Tracking script
TRACK
embed.tawk.to
Tracking script
TRACK
www.tawk.to/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/lib/font-awesome/js/v4-shims.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/ele-custom-skin/assets/js/ecs_ajax_pagination.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/happy-elementor-addons/assets/vendor/dom-purify/purify.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/ele-custom-skin/assets/js/ecs.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/tawkto-signup-form/includes/js/jquery.validate.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/tawkto-signup-form/includes/js/jquery.validate.password.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/tawkto-signup-form/includes/js/jquery.cookie.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/tawkto-signup-form/includes/js/script.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/ajax-search-pro/js/min/jquery.ajaxsearchpro-sb.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/js/frontend-modules.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-includes/js/jquery/ui/core.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/lib/swiper/v8/swiper.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/happy-elementor-addons/assets/js/happy-addons.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/happy-elementor-addons/assets/js/extension-reading-progress-bar.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor-pro/assets/js/frontend.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js
Auto-extracted from scan
TRACK
embed.tawk.to/521727297ca1334016000005/18nms7gql
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/ajax-search-pro/js/min/jquery.ajaxsearchpro-sb.loader.php
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/js/lightbox.d1799e507b570f6b0496.bundle.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/js/section-frontend-handlers.d85ab872da118940910d.bundle.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/js/shared-frontend-handlers.03caa53373b56d3bab67.bundle.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor-pro/assets/js/nav-menu.8521a0597c50611efdc6.bundle.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor-pro/assets/js/animated-headline.c009d6fa482515df23f8.bundle.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/js/text-editor.45609661e409413f1cef.bundle.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor-pro/assets/js/media-carousel.8d26e5df1a1527329fde.bundle.min.js
Auto-extracted from scan
TRACK
www.tawk.to/wp-content/plugins/elementor/assets/js/accordion.8b0db5058afeb74622f5.bundle.min.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-main.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-vendor.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-vendors.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-common.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-runtime.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-app.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-2d0d2b7c.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-2d224aff.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-2d0aef27.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-3ea2c7ce.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-2d0da3af.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-4fe9d5dd.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-7941cc06.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-6289ff8e.js
Auto-extracted from scan
TRACK
embed.tawk.to/_s/v4/app/69698502adf/js/twk-chunk-2d0c8092.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

TawkTo chat data flows through centralized infrastructure accessible to all platform users. Cross-domain tracking enables visitor identification across customer properties. Integration with CRM systems and help desks creates data leakage paths where competitor sales teams access conversation transcripts.
Loads (2)
MetapixelLinkedin
Loaded By (2)
AdyntelBounceban
Commonly Deployed With
GoogletagmanagerGoogleanalytics4
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

272 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details