Website analytics outfit Mixpanel has admitted to harvesting passwords.
Mixpanel provides a suite of services to help web publishers improve engagement. Among those services is "Autotrack", which promised the chance to track just about every aspect of a user's visit to a website. Including, it has been revealed, their passwords.
The issue became public when a user uploaded Mixpanel's mea culpa to Reddit.
“On January 5th, 2018, a customer informed us that they observed Autotrack sending the values of password fields in events,” the message said. “We confirmed that this was unexpected behavior; by design, Autotrack should not send the values of hidden and password form fields.”
Princeton privacy professor Steven Englehardt, who last year warned that replay analytics breached privacy, Tweeted his opinion that Mixpanel meant to filter out sensitive information, but its heuristic failed.
[2/7]How does one retroactively collect form inputs? From what I can tell, Mixpanel saves all input data from the time of install and uses a heuristic to filter out "sensitive fields such as password or hidden fields".— Steven Englehardt (@s_englehardt) February 5, 2018
The password leak was caused by a failure in that heuristic.
Later in that thread, Englehardt added that scraping user data should be considered an “inherently insecure process”.
Mixpanel users need to update their SDK version to stop grabbing passwords, and the company said “we’re adding some additional explicit checkpoints in our product development processes to help ensure that we’ve considered all of the impacts of the changes we make.”
The company also discovered a second slip-up in its own software, noting that since August 2016, password scraping could happen if the Website visitor used plugins that “place sensitive data into form element attributes.” ®