Updating Mixpanel-Browser Dependency

Question

Updating Mixpanel-Browser Dependency

Closed this issue 7 years ago · 1 comments

Got an email from mixpanel about autotrack:

Dear Mixpanel Customer,

We are writing you today about a recently discovered data ingestion issue on the Mixpanel platform that affects your project(s) and requires that you update your SDK as soon as possible (unless your SDK is set to automatically update). Before we go into detail on what happened and how we’ve addressed the issue, we want to apologize for any difficulty this may cause your organization. Our team is committed to remedying this situation quickly, and we’re available to talk through any questions or concerns—just reply to this email, and we’ll be in touch. 

What happened?

On January 5th, 2018, a customer informed us that they observed Autotrack sending the values of password fields in events. We confirmed that this was unexpected behavior; by design, Autotrack should not send the values of hidden and password form fields.  

We immediately began investigating further and learned that the behavior the customer was observing was due to a change to the React JavaScript library made in March 2017. This change placed copies of the values of hidden and password fields into the input elements’ attributes, which Autotrack then inadvertently received. Upon investigating further, we realized that, because of the way we had implemented Autotrack when it launched in August, 2016, this could happen in other scenarios where browser plugins (such as the 1Password password manager) and website frameworks place sensitive data into form element attributes. 

To date, our forensics and security experts have not seen any indication that this data was downloaded or accessed by any Mixpanel employee or third party. It was a bug, plain and simple. Upon discovery, we took immediate steps to secure the data and shut down further receipt. As of today, all data that was inadvertently received has been destroyed. In order to be as transparent as possible, here is more detail on how we have addressed and will continue to address this issue. 

How we’re addressing this issue 

Since discovery, we have been actively working to resolve the issue for affected customers. The majority of projects were not impacted, but based on our findings, we believe that you may have project(s) that were impacted, which we list at the end of this email. 

We took immediate steps when we discovered this data ingestion issue in the form of the following: 
Limit further receipt of data: On January 9th, we implemented a server-side filter to securely discard this data as soon as we receive it, and soon thereafter refined the filter to solve for the last remaining edge cases. 
Delete the inadvertently received data: We have cleared all data from our database that we inadvertently received and, upon request, we can provide you with fine-grained metadata about what data was inadvertently sent to Mixpanel servers. This will include a mapping of distinct IDs to property names (but not the data values themselves, which have been securely deleted using appropriate security measures).
Fix the Autotrack bug: We have implemented the Autotrack functionality fix in the Mixpanel SDK. You will, however, need to update your SDK as soon as possible to reflect this change. If your SDK is set to automatically update, or if your website loads the SDK directly from our content servers, then no action is required.
Review any access of this data: We do not believe this data was downloaded or accessed by any Mixpanel employee or third party.  To the extent we discover otherwise, we will immediately notify you. 
In addition to fixing the root cause of this issue, we’re taking proactive steps to identify and prevent similar issues from occurring in the future: 
Incorporating formal privacy reviews as part of our design and development processes: Security and privacy have always been front of mind at Mixpanel, but we’re adding some additional explicit checkpoints in our product development processes to help ensure that we’ve considered all of the impacts of the changes we make.
In-depth security/privacy audits of key existing product areas: We’ve learned a lot from this issue, and our team has been diving in to look for similar cases where these same kinds of problems could arise.
Operationalizing our response tooling: We’ve built new tools in response to this issue to help us identify the scope of data collection, limit access to data, and to purge it from our systems quickly. We’re taking these tools and making them more general purpose so that we can respond more quickly in the unlikely event that a similar problem occurs in the future.
Data filtering and detection: We’re exploring capabilities that can detect something like this sooner including changes to the SDK to give us more insight into what data is being sent to us, integration with Data Loss Prevention (DLP) solutions, and even using our machine learning capabilities to detect anomalous ingestion.
We are conducting a thorough investigation of what happened and how we handled it. We believe that we have addressed the ingestion issue with the speed and accuracy required as your trusted partner. Below the signature, we have also listed your Project ID(s) and Project Name(s) that were affected.  

If you have questions or for more information, please reply to this email for a response from your account team. Otherwise, as mentioned before, please update your SDK as soon as possible.  

Sincerely,  

The Mixpanel Security team

They are now on 2.15. Do you need a PR to update the dependency?

Answer 1 · 2018-02-01T21:52:51.000Z

Thank you for pointing this up. I just updated the dependencies - see the latest version of the lib: v0.1.11 https://github.com/neciu/react-mixpanel/tree/v0.0.11