Steven Englehardt

[7/7]This is surprisingly similar to the leaks we found to be caused by session replay scripts (https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/ …). These scripts also scrape user data from the DOM and use a blend of automated & manual redaction. As highlighted in the post, sensitive data leaks are common.

[6/7]The effort spent by a publisher to ensure no sensitive data is collected could just as well be spent explicitly choosing the form fields from which to collect data. The latter whitelist approach is also significantly less likely to lead to unexpected leaks.

[4/7]This shouldn't be thought of as a bug! Instead, it adds to the evidence that the automated scraping of user data from a page is an inherently insecure process. There is no way a heuristic-based blacklist will be able to filter all possible sensitive information leaks.

[3/7]In this specific case, the React library was handling passwords in a way the heuristic didn't account for. Mixpanel's announcement also hints that similar leaks may have occurred from password manager extensions changing the DOM.

[2/7]How does one retroactively collect form inputs? From what I can tell, Mixpanel saves all input data from the time of install and uses a heuristic to filter out "sensitive fields such as password or hidden fields". The password leak was caused by a failure in that heuristic.

New research: Web trackers harvest email addresses by injecting invisible login forms and reading back any auto-filled data. https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ … w/ Gunes Acar and @random_walker