How This Briefing Works
This report opens with key findings, then maps the gaps between what Zipy discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Zipy was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
disclosure
“Pending claims extraction”
Runtime detection shows C07 (session recording) and C09 (consent bypass)
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Zipy
- →IMMEDIATE: Audit Zipy initialization timing — pre-consent recording creates CRITICAL liability requiring urgent remediation
- →Implement consent-gated session recording activation with explicit user opt-in separate from general analytics consent
- →Review recorded sessions for PII exposure and implement redaction for sensitive data fields
If You're Evaluating Zipy
- →Document pre-consent recording scope and duration
- →Request technical controls to prevent ANY recording until explicit consent obtained
- →Obtain written confirmation of session data retention policies and deletion procedures
- →Verify PII redaction capabilities for form inputs and sensitive page content
Negotiation Leverage
- →Pre-consent recording: CRITICAL liability — session capture begins before consent. Require technical controls to prevent ANY recording until explicit user authorization obtained separately from analytics consent.
- →PII exposure: Session replays capture form entries and sensitive data — demand automatic redaction for PII fields (email, phone, payment data, passwords) and audit capabilities to verify redaction.
- →Data retention: Recorded sessions persist — require specific deletion timelines (30 days maximum recommended) and on-demand deletion capabilities.
- →Consent granularity: Session recording requires separate consent from analytics — general analytics consent does NOT authorize session replay.
- →Third-party access: Verify session data is not shared with third parties or used for purposes beyond stated debugging/UX optimization.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Full session replay
Ignoring CMP signals
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
25 detection signatures across scripts, domains, cookies, and network endpoints