Apr 01, 2025The Hacker NewsWeb Security / GDPR Compliance

Are your security tokens truly secure?

Explore how Reflectiz helped a major retailer uncover a Facebook pixel that was secretly tracking sensitive CSRF tokens due to human error misconfigurations. Learn about the detection process, response strategies, and steps taken to mitigate this critical issue. You can download the full case study here.

By implementing Reflectiz’s recommendations, the retailer avoided the following potential consequences:

• Potential GDPR fines (up to €20M or 4% of turnover)
• Average data breach cost of $3.9M
• 5% customer churn

Introduction

As an online retailer, you may not be familiar with CSRF tokens, but it’s crucial to understand the importance of protecting them from accidental oversharing by the Facebook Pixel. Failure to do so could result in significant fines from data protection regulators. This article aims to provide a brief overview of the issue and explain the best way to protect your business against it.

For a more in-depth exploration of this issue, you can download our free case study on the subject here. The case study examines a real-world example of a global online apparel and lifestyle retailer that faced this issue. While this article provides a concise overview of the threat, the case study delves deeper into the problem and its solution.

Let’s take a closer look at how this issue unfolded and why it’s essential for online security.

What happened and why it matters

In summary, a web threat monitoring solution called Reflectiz discovered a data leak in the retailer’s systems that others had missed: its Facebook Pixel was inadvertently sharing a security technology called CSRF tokens that it should have kept confidential.

CSRF tokens were designed to prevent CSRF, which stands for cross-site request forgery. This type of cyberattack involves tricking a web application into performing certain actions by convincing it that they came from an authenticated user.

Essentially, it exploits the trust that the web application has in the user’s browser.

Here’s how it works:

• The victim is logged into a trusted website (e.g., their online banking).
• The attacker creates a malicious link or script and tricks the victim into clicking it (this could happen via email, social media, or another website).
• The malicious link sends a request to the trusted website. Since the victim is already authenticated, their browser automatically includes their session cookies or credentials, making the request appear legitimate to the web application.
• As a result, the web application will carry out the action in the attacker’s malicious request, such as transferring funds or changing account details, without the victim’s consent.

Note that this is not a malicious activity event. All ‘blockers’ that monitor the traffic for malicious scripts would not detect any issues.

Developers can use various tools to prevent this from happening, and one of them is CSRF tokens. They ensure that authenticated users only perform the actions they intend to, not the ones requested by attackers.

Reflectiz recommended storing CSRF tokens in HttpOnly cookies, which prevents third-party scripts, like Facebook Pixel, from accessing them.

The misconfiguration problem

In the case study example available here, the retailer’s Facebook Pixel had been misconfigured. The misconfiguration allowed the pixel to inadvertently access CSRF tokens—critical security elements that prevent unauthorized actions on behalf of authenticated users. These tokens were exposed, creating a serious security vulnerability. This breach risked multiple security issues, including potential data leaks and unauthorized actions on behalf of users.

Like many online retailers, your website probably uses the Facebook Pixel to track visitor activities to optimize its Facebook advertising, but it should only gather and share the information it requires for that purpose, and it should only do so after obtaining the correct user permissions. Since CSRF tokens should never be shared with any third party, that’s impossible!

Here’s how Reflectiz’s technology works to uncover such vulnerabilities before they turn into serious security risks.

The Fix

Reflectiz’s automated security platform was employed to monitor the retailer’s web environment. During a routine scan, Reflectiz identified an anomaly with the Facebook Pixel. It was found to be interacting with the page incorrectly, accessing CSRF tokens and other sensitive data. Through continuous monitoring and deep behavioral analysis, Reflectiz detected this unauthorized data transmission within hours of the breach. This was equivalent to sharing the keys to their house or the password to their bank account, which others could exploit in the future.

Reflectiz acted swiftly, providing a detailed report to the retailer. The report outlined the misconfiguration and recommended immediate actions, such as configuration changes to Facebook Pixel code, to stop the Pixel from accessing sensitive data.

Data protection regulators take a dim view of businesses that accidentally overshare restricted information with unauthorized third parties, and fines can easily run into millions of dollars. That’s why the 10 to 11 minutes it will take you to read the full case study could be the best time investment you make all year.

Next Steps

Reflectiz’s recommendations didn’t just stop with immediate fixes; they laid the foundation for ongoing security improvements and long-term protection. Here’s how you can protect your business from similar risks:

1. Regular Security Audits:
   • Continuous Monitoring: Implement a system of continuous monitoring to track all third-party scripts and their behavior on your website. This will help you detect potential vulnerabilities and misconfigurations in real-time, preventing security risks before they escalate.
   • Periodic Security Audits: Schedule regular audits to ensure that all security measures are up to date. This includes checking for vulnerabilities in your third-party integrations and ensuring compliance with the latest security standards and best practices.
2. Third-Party Script Management:
   • Evaluate and Control Third-Party Scripts: Review all third-party scripts on your website, such as tracking pixels and analytics tools. Limit the access these scripts have to sensitive data and ensure they only receive the data necessary for their function.
   • Use Trusted Partners: Only work with third-party vendors that meet stringent security and privacy standards. Ensure that their security practices align with your business’s needs to prevent unauthorized data sharing.
3. CSRF Token Protection:
   • HttpOnly Cookies: Follow Reflectiz’s recommendation to store CSRF tokens in HttpOnly cookies, which prevents JavaScript (including third-party scripts) from accessing them. This is a key measure in protecting tokens from unauthorized access by third-party vendors.
   • Enforce Secure Cookie Attributes: Ensure that all CSRF tokens are stored with Secure and SameSite=Strict attributes to protect them from being sent in cross-origin requests and mitigate the risk of exposure through malicious third-party scripts.
4. Privacy by Design:
   • Integrate Privacy into Your Development Process: As part of your development and deployment processes, adopt a Privacy by Design approach. Ensure that privacy considerations are at the forefront, from the way data is stored to the way third-party scripts interact with your site.
   • User Consent Management:
     
     
     Source Link