Online analytics firms leak user passwords from sites

  • Liam Tung (CSO Online)
  • 27 February, 2018 07:03

Web analytics firm Mixpanel earlier this month fixed a “bug” that led to it accidentally collecting user passwords from third-party sites it was analyzing, but the problem is not isolated to one product, according to researchers. 

As reported by TechCrunch in early February, a change to the React JavaScript library didn’t mesh with Mixpanel’s Autotrack feature and ended up with it inadvertently slurping data in password fields for nine months. Mixpanel issued an update so that its software would filter out passwords. 

But researchers at Princeton University’s Centre for Information Technology Policy say the problem is more widespread than a fault in one product and extends to flawed techniques used to protect sensitive information when users visit sites with so-called “session replay” scripts embedded on them. 

The Princeton researchers last year drew attention to how session replay scripts embedded on popular websites were collecting a variety of sensitive information. Captured details were only exposed to site owners but posed a risk to end-users in the event a website suffered a data breach. 

And since that research was released, cybercriminals have attempted to exploit the legitimate analytics features to steal valuable data, like credit card numbers and usernames. Security researchers at Trend Micro this month reported that cybercriminals had integrated a session replay software library from Russian search firm Yandex into nearly 100 Chrome extensions that were capable of capturing credit card numbers, email addresses and phone numbers. The library, by design, did not capture user passwords. 

The chief problem is that scripts from session replay vendors capture everything typed into a page yet can’t adequately filter out sensitive information in all contexts. Some variant of the same problem exist in session replay scripts supplied by Mixpanel, Adobe’s Analytics ActivityMap, John Lewis, FullStory and PropellerAds. 

“There is no foolproof way for these third party scripts to prevent password collection, given their intended functionality. In some cases, password collection happens due to extremely subtle interactions between code from different entities,” write Princeton’s researchers.

“Overall, we think that the approach of third-party scripts collecting the entirety of web pages or form inputs, and attempting to filter out sensitive information is incompatible with user security and privacy.”

Mixpanel wasn’t included in Princton’s original research into privacy design flaws affecting sites that use session replay scripts, but a second pass at its software after the password slurping glitch revealed it and other products were still grabbing passwords.

The problem lies in unexpected ways that sites interact with the scripts. For example, it’s common for sites to include a “Show Password” feature to help users see what’s typed on a mobile screen, however Mixpanlel’s filter didn’t factor in would place the passwords in unprotected fields. 

So people who’ve signed up the site will have their password collected by Mixpanel in cleartext if they use the “Show Password” feature, even if the user doesn’t submit the login form. Mixpanel in response has marked the Autotrack feature as “on hold”, suggesting it is disabled. 

The researchers note that the behavior of the scripts aren’t bugs that can be fixed, but are rather the result of insecure practices that "should be stoped entirely”   

“Even if the specific problems highlighted in this post were fixed, we suspect we’d be able to continue to find variants of the same leaks elsewhere. Thankfully these password leaks can’t be exploited publicly, since the analytics data is only available to first parties. Instead, these leaks expose users to an increased risk to data breaches, an increased potential for data access abuse, and to unclear policies regarding data retention and sharing,” the researchers write.