
Keen.io WebAutoCollector-JS collects and stores passwords in plain text - cachezero
The JavaScript WebAutoCollector from keen.io collects and stores all submitted form data <i>including passwords</i> in plain text at the keen.io infrastructure.<p>People who are in possession of the read-key for your store have access to this data. Keen.io is informed and will fix this soon.<p>The sourcecode: https:&#x2F;&#x2F;d26b395fwzu5fz.cloudfront.net&#x2F;keen-web-autocollector-1.0.7.js<p>---<p>From https:&#x2F;&#x2F;keen.io&#x2F;docs&#x2F;streams&#x2F;web-auto-collection :<p>The Web Auto-Collector will automatically collect the following events with data rich properties like url, referrer, geo-location, and date-time from your website or web app.<p>-&gt; Pageviews<p>-&gt; Clicks (on anything, not just buttons and links)<p>-&gt; Form Submissions, including the data that was submitted with the form<p>---<p>This is an excerpt from my data automatically stored for a form-submission-event at keen.io:<p><pre><code>  { ...,
    &quot;form&quot;: {
        &quot;action&quot;: &quot;http:&#x2F;&#x2F;ypsilon.dev:4000&#x2F;en&#x2F;sign_in&quot;,
        &quot;fields&quot;: {
          &quot;_utf8&quot;: &quot;&quot;,
          &quot;_csrf_token&quot;: &quot;Fy4PFA9XFDlybjUEIxBxAhUHdiMyAAAAOYIZc3Bi+9fade6saAYKWg==&quot;,
          &quot;user&quot;: {
            &quot;email&quot;: &quot;foo@example.com&quot;,
            &quot;password&quot;: &quot;i_am_plain_text&quot;
          }
        },
        &quot;method&quot;: &quot;post&quot;
      },
    ...
  }</code></pre>
======
aroc
Hi there, I work for Keen IO. The AutoCollector SDK was fixed early this
morning. Version 1.0.8 no longer sends password fields in plaintext. If you
upgrade your version to 1.0.8 you'll be good to go. We're working to inform
all users of our AutoCollector SDK that they should upgrade immediately.
Thanks again for bringing this to our attention.

~~~
cachezero
Thank you for the quick fix and the transparency <3

