Web analytics outfit Mixpanel slurped surfers’ passwords

February 07 13:17 2018 Print This Article

Library update slip means it’s time to reset the ‘Days since last big breach’ counter to Zero

Website analytics outfit Mixpanel has admitted to harvesting passwords. Mixpanel provides a suite of services to help web publishers improve engagement. Among those services is “Autotrack”, which promised the chance to track just about every aspect of a user’s visit to a website. Including, it has been revealed, their passwords.

The issue became public when a user uploaded Mixpanel’s mea culpa to Reddit.

“On January 5th, 2018, a customer informed us that they observed Autotrack sending the values of password fields in events,” the message said. “We confirmed that this was unexpected behavior; by design, Autotrack should not send the values of hidden and password form fields.”

The note goes on to explain that the bug was introduced in a change to the React JavaScript library dating back to March 2017, but it does not believe any third party accessed the information.

Princeton privacy professor Steven Englehardt, who last year warned that replay analytics breached privacy, Tweeted his opinion that Mixpanel meant to filter out sensitive information, but its heuristic failed.

Steven Englehardt (via Twitter) – “Mixpanel (an analytics service) was inadvertently collecting user passwords for months. Some context: The Autotrack feature, which caused the leaks, allows sites to “retroactively” collect analytics on user form inputs”

Steven Englehardt (via Twitter) – “How does one retroactively collect form inputs? From what I can tell, Mixpanel saves all input data from the time of install and uses a heuristic to filter out ‘sensitive fields such as password or hidden fields.’ The password leak was caused by a failure in that heuristic.”

Later in that thread, Englehardt added that scraping user data should be considered an “inherently insecure process”.

Mixpanel users need to update their SDK version to stop grabbing passwords, and the company said “we’re adding some additional explicit checkpoints in our product development processes to help ensure that we’ve considered all of the impacts of the changes we make.”

The company also discovered a second slip-up in its own software, noting that since August 2016, password scraping could happen if the Website visitor used plugins that “place sensitive data into form element attributes.” ®

The original article (and image) was originally posted here: https://www.theregister.co.uk/2018/02/07/mixpanel_slurped_passwords_in_library_update_slip/

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment