Last active
September 27, 2022 08:37
-
-
Save asumansenol/9b82938bf3c30eacb367aa6da039c56f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hi, | |
[We would appreciate if you could forward this message to your information | |
security personnel.] | |
We are researchers from KU Leuven (Belgium), currently studying personal | |
data collection on popular websites. | |
During our research we came across incidental password collection by Yandex | |
Metrica on around 50 websites, including popular websites such as championat.com, | |
olymptrade.com, exness.com, and toyota.ru. | |
On these websites, when a user types in their password, Yandex Metrica’s session | |
replay feature immediately collects and sends the password to a URL starting with | |
mc.yandex.ru/webvisor. The user does not need to submit the form for the collection | |
to happen. The password is collected almost key by key, while the user is typing. | |
We understand that Yandex Metrica does not intentionally collect these passwords. | |
Analyzing a sample of the websites with this issue (see the list below), we noticed | |
that almost all of them were built using React.js. So we believe the passwords are | |
collected due to an interaction between Yandex Metrica and React. Unfortunately we | |
did not have time to fully confirm this hypothesis, but we are sharing the list of | |
webpages on which we observed password collection. We hope that the list will help | |
you identify and address the problem. | |
We would appreciate if you could let us know when you release a fix for the problem. | |
We’ll be happy to confirm the solution on a sample of websites. | |
Feel free to let us know if you need any more details from us. | |
Kind regards, | |
PS: To be perfectly clear, we have not observed or captured any user data | |
in our study. Passwords on the following pages are directly sent to Yandex. | |
The list of pages where Yandex Metrica incidentally collects passwords: | |
https://www.championat.com | |
https://olymptrade.com | |
https://my.exness.com/accounts/sign-in | |
https://ctc.ru/auth/ | |
https://passport.travelpayouts.com/ | |
https://www.giraff.io/login | |
https://ib.open.ru/webbank/#/login | |
https://www.sibnet.ru/ | |
https://expertoption.com/ | |
https://bitmedia.io/app/sign-up | |
https://secretmag.ru/ | |
https://fboom.me/auth/login | |
https://lingualeo.com/ru | |
https://mybook.ru/ | |
https://www.forumhouse.ru/auth/register |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment