Are your security tokens truly secure?
Explore how Reflectiz helped a giant retailer to expose a Facebook pixel that was covertly tracking sensitive CSRF tokens due to human error misconfigurations. Learn about the detection process, response strategies, and steps taken to mitigate this critical issue. Download the full case study here.
By implementing Reflectiz’s recommendations, the retailer avoided the following:
You might not know much about CSRF tokens, but as an online retailer, you need to know enough to avoid any accidental oversharing of them by the Facebook Pixel. Getting this wrong could mean enormous fines from data protection regulators, so the purpose of this article is to give you a brief overview of the problem and explain the best way to protect your business against it.
You can explore this key issue in greater depth by downloading our free new case study on the subject [from here]. It goes through a real-world example of when this happened to a global online apparel and lifestyle retailer. It explains the issue they faced in more detail, but this article is a bite-sized overview of the threat to get you up to speed.
Let’s take a deeper look at how this issue unfolded and why it matters for online security.
In a nutshell, a web threat monitoring solution called Reflectiz discovered a data leak in the retailer’s systems that others didn’t: its Facebook Pixel was oversharing a security technology called CSRF tokens that it should’ve kept under wraps.
CSRF tokens were invented to stop CSRF, which stands for cross-site request forgery. It’s a type of cyberattack that involves tricking a web application into performing certain actions by convincing it that they came from an authenticated user.
Essentially, it exploits the trust that the web application has in the user’s browser.
Here’s how it works:
[Note that this is not a malicious activity event. All ‘blockers’ that monitor the traffic for malicious scripts would not detect any issues.]
Developers can use various tools to stop this happening, and one of them is CSRF tokens. They ensure that authenticated users only perform the actions they intend to, not the ones requested by attackers.
Reflectiz recommended storing CSRF tokens in HttpOnly cookies, which prevents third-party scripts, like Facebook Pixel, from accessing them.
In the case study example [that you can find here] the retailer’s Facebook Pixel had been accidentally misconfigured. The misconfiguration allowed the pixel to inadvertently access CSRF tokens—critical security elements that prevent unauthorized actions on behalf of authenticated users. These tokens were exposed, creating a serious security vulnerability. This breach risked multiple security issues, including potential data leaks and unauthorized actions on behalf of users.
Like many online retailers, your website will probably use the Facebook Pixel to track visitor activities to optimize its Facebook advertising, but it should only be gathering and sharing the information it requires for that purpose, and it should only be doing so after obtaining the correct user permissions. Since CSRF tokens should never be shared with any third party, that’s impossible!
Here’s how Reflectiz’s technology works to uncover such vulnerabilities before they turn into serious security risks.
Reflectiz’s automated security platform was employed to monitor the retailer’s web environment. During a routine scan, Reflectiz identified an anomaly with the Facebook Pixel. It was found to be interacting with the page incorrectly, accessing CSRF tokens and other sensitive data. Through continuous monitoring and deep behavioral analysis, Reflectiz detected this unauthorized data transmission within hours of the breach. This was a bit like sharing the keys to their house or the password to their bank account. They’re actions that others could exploit in the future.
Reflectiz acted swiftly, providing a detailed report to the retailer. The report outlined the misconfiguration and recommended immediate actions, such as configuration changes to Facebook Pixel code, to stop the Pixel from accessing sensitive data.
Data protection regulators take a dim view of your business even if it accidentally overshares this kind of restricted information with unauthorized third parties, and fines can easily run into millions of dollars. That’s why the 10 to 11 minutes it will take you to read the full case study could be the best time investment you make all year.
Reflectiz’s recommendations didn’t just stop with immediate fixes; they laid the foundation for ongoing security improvements and long-term protection. Here’s how you can protect your business from similar risks:
By implementing these next steps, you can proactively strengthen your security posture, safeguard your sensitive data, and prevent similar issues in the future. Reflectiz’s insights provide the roadmap to build a more resilient and secure web environment. Protecting your business from emerging threats is an ongoing effort, but with the right processes and tools in place, you can ensure that your systems remain secure and compliant.
Download the full case study here.
