Unanswered question

The website leaks some information in the console about you

Hey there. I just wanted to flag that the website, particularly the "My account" section is leaking informations in the browser console. I'm a software developer and I often open the dev console to see what's going on in the background. I was shocked to see that some JSON data is printed right into the console. This includes your postal code, your userID your accountId and more.

Although it seems to be somewhat encrypted, I don't think this is a good idea to print user details that way in the browser console. A serious company wouldn't do that... This is pure amateurism from a software developer perspective.

Answers

Kevin Miller
Kevin Miller

Kevin Miller

User level
Level
2
1243 / 2000
points

Holy moly. That doesn't look good at all. Any chance you can let them know?

This is what I'm trying to do with this post. There was no way to contact them directly, the chat is overloaded so I don't have the icon, and I'm not a fan of sending a message and hope for a reply, particularly in such case. I thought some exposure might help. Also, sending the message to someone who doesn't understand at all what this is about, might not get the attention is requires.

R Stein
R Stein

R Stein

User level
Level
1
366 / 750
points

But thats only on your browser when you logged in? I don't think its an issue, maybe I'm wrong though.

This happens when you are logged in your account. Each time you navigate, it prints out in the console.

This is definitely an issue, peoples have all sort of crap installed on their computers, there's more software than you think that can be interested in what's in your console output. In any case, consumer information like these shouldn't ever get exposed this way. There's probably enough information in there for any smart kid to play with.

My last reply got moderated, although I don't see why maybe not enough time between replies.

I was answering to @Rebecca S. who said it wasn't an issue. I'll summarize what I said in that moderated reply that isn't yet approved apparently. This is definitely an issue, leaking consumer information is never and will never be "okay".

I believe it's a non-issue, it's your account information, if you logout, there's no information in the console, once you log in, they query the database to get your info and display it on the page.

Andrew
Andrew

Andrew

User level
Level
0
15 / 100
points

What do you mean by leaking? The data for the entire page is available in the console, that's normal. Try typing window.dataLayer in the console, you get an object with a lot of data. Is the issue that it is printed in the console? If you can access this data when not logged in then there is an issue. If data like your password is in plain text then there is an issue. Data that is displayed in the page that is in the console is not an issue.

The risk is not for the advanced user who is cautious about their browser extensions. I see a risk for the average user who might have installed compromised extensions in their browsers that can screen the console output. There's more of them than you can think.

This is only happening once logged in the "My Account" section.

Anyway, outputting in the console on a production level application, is not a good practice. Logs outputting information like this in production are never a good thing regardless of the info provided. Now, seems like I'm the only one seeing an issue with that. I must be a freak about security and good software development practices.

@Marc-Andre you're not a freak about security, there's been a ton of security breaches in high level companies, and with the fact that Fizz is still in beta, and still buggy, any vector of attack should be examined.

 

You opened my eyes, I didn't even think of extensions reading data while your logged in. now I'm thinking of using koho.ca mentioned in another thread https://community.fizz.ca/questions/1843514-pay-fizz-e-transfer in case of a breach

Hey Marc-André,

Thank you for bringing this to our attention, I can assure you we're not leaking any of your information and the behaviour you stated is once you're logged in to your Fizz account. But as others have mentioned in this thread - choose wisely the add-ons you install on your browser and the permissions you give them. Also, as Sam mentioned it's your account information when logged -in i.e. like your banking information...etc. As long as the info is not seen our captured when your logged-out I can assure your info is safe.

Jay

E S
E S

E S

User level
Level
3
3324 / 5000
points

I'm freaking out people could find my postal code. I don't know what to do.

ALLISON
ALLISON

ALLISON

User level
Level
4
5000 / 5000
points

Thank you for bringing this to our attention. I'm now more concerned that fizz doesn't consider this information leaking to be an issue worth looking into.

I was looking at the console this morning to see if it was fixed and guess what. It is not fixed and there's even more! They now output all your billing cycle in the console. Although there's no information that can really be used to compromise your data, I think some developers at Fizz/Videotron need to get their sh** together and be more professional to not leave what seems to be debug informations on the production application.. You know, Angular (which is the framework used to build the my account portal) allows you to do that pretty easily...