Hacker News new | comments | ask | show | jobs | submit login
App Analysis: Air Canada (theappanalyst.com)
166 points by tolien 9 days ago | hide | past | web | favorite | 52 comments

This is fun. Does this potentially mean that there analytics firms out there with tons of "screenshots" contained easily demasked credit card info probably sitting somewhere in an s3 bucket? That's a new attack vector I've never thought about.

Exactly! Glad someone is catching my point, the issue is is that people go to the end of the earth to protect databases of credit card information, I doubt the same can be said for a database of screenshots containing equivalent info.

Another big issue I see is I may trust company X with my data but I as a consumer wouldn’t know I’m actually sharing my data with company Y and I think that is something users should be aware of.

It will just end up like the GDPR in terms of user response. There will be yet another new annoying popup with mandatory darkened background asking you to accept the analytics or leave the site.

Most people will not actually read any of it, and hit OK without giving it much thought. I feel as if we are just waiting for something bad to happen before we take action in restricting this big data analytics trend.

It seems to be a trend, we are passive until the problem smacks us in the face and then we grudgingly work on solving it slowly.

This writeup has a nice, calm, "Your house is on fire" quality about it that I find refreshing.

Thanks I try not to be overly sensationalist about my topics and just display the facts. Thanks for giving it a read :)

Absolutely - not sure why all these mini-emperors-of-Rome insist on downvoting a legitimate compliment, but to have a piece of security writing that

1) reveals a significant security issue

2) ...without the usual overblown signals to the effect of how important it is (it usually isn't) and "hey, pay attention to me"

...is refreshing, no other word for it. And if it were done more often that way in the mainstream, there would be no need for a clickbait headline arms race.

I think you should have a discussion section where you talk about potential implications (possible password leaks via S3).

I love this kind of analysis, even considered doing some myself, do you just pick apps at random to do this with?

Good writeup. There's absolutely no way this is not a PCI-DSS violation.

What’s the data advantage of taking and sending a screenshot of the app instead of just sending user events (e.g. field filled, field selected, form submitted)?

A screenshot literally unstructures the data.

It's not for data, but for catching visual bugs.

The website for Glassbox (https://www.glassboxdigital.com/solution/customer-experience...) pitches the capture feature as "Watch visitors' struggles for yourself to improve your website’s customer experience."

IMO that seems inefficient. You could do the same at scale with the right implementation of events.

> You could do the same at scale with the right implementation of events.

It's not worth the cost to roll your own. I use fullstory.com for web, and it's an incredibly invaluable tool - next best thing to in-person user interviews. I'm able to see front-end errors in TrackJS/Sentry/NewRelic and find the matching session in FullStory to review with my team. With this tooling, there isn't a single issue/bug I haven't been able to re-produce and witness firsthand across any device/platform (like esoteric IE 11/Safari 10 issues).

I personally use TrackJS and find it quite useful. I never heard of Fullstory and it looks interesting. I see that they advertise showing JS errors as well similar to TrackJS. Is it not as good as TrackJS for this? I am curious why you need to use multiple if Fullstory gives that?

I'm just looking at either replacing TrackJS with Fullstory, or keeping both if fullstory is helpful with TrackJS.

I still use TrackJS for primary error reporting, but FullStory happens to capture them as well and they show them inline with the viewing session in a mock console. It's a nice little feature and can be convenient.

"Watch visitors' struggles for yourself" brought dark patterns to mind immediately.

It's actually a normal and proper way to improve usability if done right, i.e. in a study where you set tasks to users and watch what they're doing and where they have problems. Jakob Nielsen does this for decades.

Not sure if looking at users' screenshots is anywhere near as useful.


And in most cases incomplete. Those screenshots don't tell them what I'm trying to do (I'm looking for X, how would that show up in a screenshot/video) and they don't tell them I'm angry because of X (something is missing etc).

Sometimes it would be nice if companies just actually listened to user feedback (e.g. app store reviews, bug reports, etc) instead of only going by automatic metrics.

For catching behavioral struggles, according to this press release from Glassbox and Air Canada:

> Glassbox provides crucial insights on customer struggles and experience issues that cannot be identified by other systems and help us address them immediately” added Chartrand.[1]

[1] https://www.glassboxdigital.com/press-release/air-canada-cho...





That's just a small sample of services that allow you to record the user's screen or take screenshots). App session replay software has existed for years, and of course, they capture all the things that are going on the app including checkouts and profile data (unless you flag those screens on the SDK implementation).

Like someone already pointed out, that video or image will likely be stored somewhere (an S3 bucket or some static storage). I think anyone who is implementing these type of SDKs on their app needs to do their due diligence, and not push sensitive data to these third parties.

Just checked out userx.pro, and wow: a site that claims to help improve user experience yet hijacks the ‘back’ button. The mind boggles.

“Improved retention,” indeed.

Hi! Could you write on what page of website did you find back-button hijack? Actually we don't have so. If it realy happened we'll fix this bug ASAP.

Oops, I only just now saw this reply!

It was the homepage, when I followed the link to it. I was hasty in assuming it was intentional, and I’m glad to hear that’s not the case.

I suspect it’s a bug, possibly caused by my use of an ad blocker. (I’m accustomed to sites malfunctioning in certain ways when the blocker is turned on, but I’d never seen it cause me to be unable to use “back” to leave.)

If it helps, it happened in Safari on iOS 12.1.4. The content blocker I’m using is ‘1Blocker X’ from the iOS App Store.

I didnt experience any hijacking, even with disabled ublock

Good to know... was hoping it might just be a bug.

We need more analysis like these calling out businesses that violate their users trust.

This write-up doesn't actually state where these unobfuscated images came from, so it's not clear to me where (or whether) there are actually unobfuscated images in Air Canada's system. Tools like Glassbox usually mark PII fields with CSS classes to blur/redact fields when the screenshots are taken. It looks like the author may have found password and credit card fields without these CSS classes and manually recreated what the unobfuscated fields would look like with dummy data, but it's also possible to configure these tools to not log entire pages or directories -- this is how payment pages are usually configured, with screenshotting completely disabled.

If the (anonymous) author simply mocked up what these screenshots _might_ look like if they were saved, that's pretty misleading.

Author here, these are not mockups and if you watch the video linked you can see me replay the session I captured using a https proxy. Hope that clears things up, thanks for your interest!

I had a similar question - I would recommend making that clear on an edit of the post

But thanks for this - I had no idea such things were prevalent ... now I wonder if I should surf with a proxy on to see what's being sent ...

It's very sobering. But much harder now when everything is on HTTPS.

I was once forced to integrate once such product in our app. We did mask what we thought was the sensitive information. Within days of release, the app was removed from the play-store for privacy violation. Had to remove the SDK to get back in business. So Google does use tools to detect such stuff and this was early 2017.

"Peekaboo" PCI compliance level.

Great read! Thanks for investigating this kind of thing, it's beyond useful.

I love the idea of this web site. But it is not so convincing when it is not HTTPS. (ok, I expected downvote)

Haha very true, I was never expecting this to get much traction... will update with the proper pki asap, thanks :)

Add a RSS feed please ;)

I'm personally a big fan of HTTPS, but I honestly don't know what the benefit would be of using it on such a site.

I was in charge of building this kind of product for another analytics company, this technology is called session replay, and it is used for many use cases, like : UX improvement/ support/ bug detections ...

Most of vendors record keyboard inputs and thus can record password as well as credit card information, there was an affair about it a few years ago [1]. To not have this issue, most of vendors provide a way to not record those information. It requires manual tagging of the website on the element that contains critical content.

But many of session replays vendors have many clients, and don't force or don't verify that all the critical information are masked. This is not GDPR compliant, because when the GDPR apply you need to consent of the user to record his PII, and you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent.

Two things: - Nowadays on the web most of payment pages are not hosted on the client website, so those analytics tools are not included (but we still have many websites that don't use third party for that) - This data is not (most of the time) recorded in a structured way, data of inputs is recorded as some element of an HTML, and thus it is not super easy to extract the information at scale

[1] https://freedom-to-tinker.com/2018/02/26/no-boundaries-for-c...

> you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent

Wait, why can’t a website record my sexual orientation with my consent?

How will dating sites work then? Or is there a difference between asking about sexual orientation and asking me about what gender I would like to see / what I am looking for? If there is a difference then what’s the point of not allowing sexual orientation to be stored? From a practical point of view the question phrased like what I am interested in / looking for gives about the same information don’t it?

It is the difference between personal data and sensitive data, I'm not expert of the subject, but on this article https://gdpr-info.eu/art-9-gdpr/ they say

> Paragraph 1 shall not apply if one of the following applies: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes

But I was talking about third party that collect information, not the website itself, I was only working on third party so I don't know what websites are allowed to do

> But I was talking about third party that collect information, not the website itself, I was only working on third party so I don't know what websites are allowed to do

Ah, I see.

Glassdoor claim to be able to screenshot web browsers as well. I didn’t know that was possible.

It’s possible to convert an entire HTML document in its current state to a bitmap using canvas and getComputedStyle (see html2canvas) though I don’t know if this is the method they use.

You might have meant "Glassbox".

As far as their claim, it sounds like marketing speak. My guess is they're listening to events and then superimposing them on the UI to mimic a screenshot.

On iOS, apps can open a modal Safari webview instance within the app.

Can apps screenshot what's displayed in Safari in that case?

No, there is no way to screenshot SFSafariViewController because it's rendered out-of-process in a way that no identifying information is conveyed to the host app. You can try this yourself: you'll see that your screenshot contains a blank navigation bar and toolbar, but nothing else.

Everything is possible thanks to the MutationObserver that is now available on all browsers, except IE


What? You used a porn site that demanded Camera access, and you agreed to it? To each is their own, I guess. But that's not a move I would have done...

What's "their contract" that's prohibiting you from naming the site, apart from a standard EULA that no one reads? Who cares, just name the site?

Honestly, I'm having trouble believing this.

I can't imagine that a porn site full of videos of guys whaching off in front of their laptops would be a money spinner, tbh.

> money from the views my videos received

Yeah right bud.

this isn't true

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact