Web analytics outfit Mixpanel slurped surfers' passwords

LIbrary update slip means it's time to reset the 'Days since last big breach' counter to Zero

By Richard Chirgwin

Posted in Security, 7th February 2018 02:58 GMT

Website analytics outfit Mixpanel has admitted to harvesting passwords.

Mixpanel provides a suite of services to help web publishers improve engagement. Among those services is "Autotrack", which promised the chance to track just about every aspect of a user's visit to a website. Including, it has been revealed, their passwords.

The issue became public when a user uploaded Mixpanel's mea culpa to Reddit.

“On January 5th, 2018, a customer informed us that they observed Autotrack sending the values of password fields in events,” the message said. “We confirmed that this was unexpected behavior; by design, Autotrack should not send the values of hidden and password form fields.”

The note goes on to explain that the bug was introduced in a change to the React JavaScript library dating back to March 2017, but it does not believe any third party accessed the information.

Princeton privacy professor Steven Englehardt, who last year warned that replay analytics breached privacy, Tweeted his opinion that Mixpanel meant to filter out sensitive information, but its heuristic failed.

Later in that thread, Englehardt added that scraping user data should be considered an “inherently insecure process”.

Mixpanel users need to update their SDK version to stop grabbing passwords, and the company said “we’re adding some additional explicit checkpoints in our product development processes to help ensure that we’ve considered all of the impacts of the changes we make.”

The company also discovered a second slip-up in its own software, noting that since August 2016, password scraping could happen if the Website visitor used plugins that “place sensitive data into form element attributes.” ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

UK Data Protection Bill tweaked to protect security researchers

Re-identification of data will not be a crime, as long as you warn the authorities

UK regulator moots data protection sandbox for organisations to play in

ICO strategy outlines plans to slurp up academic expertise

Illinois StingRay crackdown

UK.gov's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn

UK.gov: Snoop laws not 'significant' obstacle to EU data protection talks

Digi minister confident of adequacy decision post-Brexit

Irish eyes are sighing: Data protection office notes olagoanin'* up 79%

Annual report reveals boost in complaints, breach notifications

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al