Keen.io WebAutoCollector-JS collects and stores passwords in plain text

[cachezero]

The JavaScript WebAutoCollector from keen.io collects and stores all submitted form data including passwords in plain text at the keen.io infrastructure.

People who are in possession of the read-key for your store have access to this data. Keen.io is informed and will fix this soon.

The sourcecode: https://d26b395fwzu5fz.cloudfront.net/keen-web-autocollector-1.0.7.js

---

From https://keen.io/docs/streams/web-auto-collection :

The Web Auto-Collector will automatically collect the following events with data rich properties like url, referrer, geo-location, and date-time from your website or web app.

-> Pageviews

-> Clicks (on anything, not just buttons and links)

-> Form Submissions, including the data that was submitted with the form

---

This is an excerpt from my data automatically stored for a form-submission-event at keen.io:

  { ...,
    "form": {
        "action": "http://ypsilon.dev:4000/en/sign_in",
        "fields": {
          "_utf8": "",
          "_csrf_token": "Fy4PFA9XFDlybjUEIxBxAhUHdiMyAAAAOYIZc3Bi+9fade6saAYKWg==",
          "user": {
            "email": "foo@example.com",
            "password": "i_am_plain_text"
          }
        },
        "method": "post"
      },
    ...
  }

[aroc]

Hi there, I work for Keen IO. The AutoCollector SDK was fixed early this morning. Version 1.0.8 no longer sends password fields in plaintext. If you upgrade your version to 1.0.8 you'll be good to go. We're working to inform all users of our AutoCollector SDK that they should upgrade immediately. Thanks again for bringing this to our attention.

[cachezero]

Thank you for the quick fix and the transparency <3