Tuesday, April 14, 2015

Impact of sensitive information sent to Analytics in modern world applications


Background:

Application analytics is becoming very important aspect from business standpoint across companies and ventures. It is even more important for consumer centric sites like eCommerece, portals, mobile apps etc. Analytics server are usually third party owned and application owner integrates the code and force browser session to push some data cross domain to those servers.

Problem Domain:

Let's take this example, application running an eCommerce portal has implemented third party analytics services like shown in figure 1. This server is well guarded by firewall and applied secure coding practices on major components across the application. Portal is utilizing analytics services and this service can be integrated with JavaScript, which needs to be implemented across various sets of pages.

Figure 1 – Analytics Deployment for Target Application


This type of scenario brings some unique threats, if application integration with analytics server is not securely done. Here is the list of issues we have observed during our consulting engagements.

  • Developers may have blindly integrated code on each pages, links or visited URLs are going to analytics server for analysis. In that case, certain pages like forget password, reset password, SSO page etc. All these pages have URL with sensitive tokens. These tokens can end up providing access to the site and user sessions can be compromised. This is one of the major threats we have observed across many applications.
  • Analytics server is running over non-SSL channel and it may end up exposing traffic and certain sensitive information.
  • In certain cases JS implementation code of third party component is having DOM based XSS and open redirect types of vulnerabilities, which can be exploited.
  • Analytics server is running with certain open ports and can be compromised in very few cases.

Conclusion

It is imperative to evaluate analytics code and their integration from development standpoint. Code should be analyzed for vulnerabilities and it should be integrated to selected pages only. No point in putting its integration on all pages and it may end up sending sensitive tokens to the analytics server. Also, deployment of analytics server with open ports, security posture and communication channel should be carefully evaluated.