Keen.io WebAutoCollector-JS collects and stores passwords in plain text

4 points

9 years ago

The JavaScript WebAutoCollector from keen.io collects and stores all submitted form data including passwords in plain text at the keen.io infrastructure.

People who are in possession of the read-key for your store have access to this data. Keen.io is informed and will fix this soon.

The sourcecode: https://d26b395fwzu5fz.cloudfront.net/keen-web-autocollector-1.0.7.js

---

From https://keen.io/docs/streams/web-auto-collection :

The Web Auto-Collector will automatically collect the following events with data rich properties like url, referrer, geo-location, and date-time from your website or web app.

-> Pageviews

-> Clicks (on anything, not just buttons and links)

-> Form Submissions, including the data that was submitted with the form

---

This is an excerpt from my data automatically stored for a form-submission-event at keen.io:

  { ...,
    "form": {
        "action": "http://ypsilon.dev:4000/en/sign_in",
        "fields": {
          "_utf8": "",
          "_csrf_token": "Fy4PFA9XFDlybjUEIxBxAhUHdiMyAAAAOYIZc3Bi+9fade6saAYKWg==",
          "user": {
            "email": "[email protected]",
            "password": "i_am_plain_text"
          }
        },
        "method": "post"
      },
    ...
  }

2 comments