Created
September 27, 2022 08:35
-
-
Save asumansenol/60b2aa92e90b18b4a5380a54ccaa77de to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [We would appreciate it if you could forward this message to your | |
| information security personnel.] | |
| To whom it may concern, | |
| I and my colleagues from multiple European research institutes are | |
| investigating personal data collection on popular websites. During our | |
| study, we found that a third-party script from Yandex collects visitors’ | |
| passwords from your web form on | |
| https://www.toyota.ru/apps/customerportal#/not.... | |
| We have reported the problem to Yandex, who then issued an update to fix | |
| the problem. That means passwords on your website should not be | |
| collected anymore. | |
| If you still want to try to reproduce the issue, follow these steps: go | |
| to https://www.toyota.ru/apps/customerportal#/not... and type a fake | |
| password into the password box. Then press the Tab key to move to the | |
| next field. This will trigger a request to Yandex that contains the | |
| typed password as part of the POST data. | |
| We would appreciate it if you could update us if you take any action to | |
| address this issue. We plan to describe websites’ responses to our | |
| disclosure in our academic paper, which is a collaboration between | |
| researchers from law and computer science disciplines. | |
| We would like to stress that we have not captured data of your visitors, | |
| or any other user in our study. | |
| Please feel free to reach out if you need any clarification or | |
| additional information regarding our disclosure. | |
| Kind regards |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment