Why does the Simplifi webpage expose my full name and email address?

RobertInSF
RobertInSF Member
edited March 1 in Report a Bug

Why did the programmer at Simplifi expose my full name and my full email address to my browser console wit DEBUG statements??

ALL DEBUG INFORMATION should be REMOVED from production applications - this is a security hole and should be resolved immediately.

Just use your CONSOLE for your web-browser and you see your full name/email address fully exposed in readable text outside of any secured environment.

Comments

  • UrsulaA
    UrsulaA Superuser ✭✭✭✭
    edited January 28

    Interesting, can you redact your name and address and show were the information shows up? I looked in my web app following the steps above and I cannot see it. I am using Windows 11 and web app release 3.97 with Microsoft Edge Version 121.0.2277.83 (Official build) (64-bit).

    Update: I found what you found on the web app when logged in. I searched for my name under console and it came up yesterday.

    I tried again today and my name was not found. I launched dev tools by pressing F12 on Microsoft Edge Version 121.0.2277.83 (Official build) (64-bit) then searched for my name under console.

    I wonder if this is related to the send feedback option Simplifi has to troubleshoot.

    To compare, I logged in to the Wells Fargo site, went to the console and did not find my name.

    Simplifi User Since Nov 2023

    Minter 2014-2023

    Questionable Excel before 2014 to present

  • RobertInSF
    RobertInSF Member
    edited January 31

    "To compare, I logged in to the Wells Fargo site, went to the console and did not find my name.To compare, I logged in to the Wells Fargo site, went to the console and did not find my name."

    A DEBUG STATEMENT IS A CUSTOM STATEMENT DONE BY PROGRAMMERS. Has NOTHING AT ALL to do with another website.

    Of course Wells Fargo didn't do this….no one does this.

  • RobertInSF
    RobertInSF Member

    To be clear, the PRODUCTION APPLICATION should NOT have a single debug statement in it - otherwise, it is careless programming. At a very minimum, the information being debugged should only be at super users, beta users, internal users. It should NEVER be left in a production application …that's just BASIC PROGRAMMING! It's a VERY careless bug done by Intuit programmers.

  • RobertInSF
    RobertInSF Member

    The problem is in: utils/intercom.js

    There is a DEBUG statement to CONSOLE.

    It exposes my FULL NAME and my FULL EMAIL ADDRESS in a NON SECURED WAY.

    utils/intercom.js DEBUG:
    intercom identify:

    dataset_id: "408948260584022785"​email: "MY EMAIL"​groups: "oauth.approvals,openid,password.write,qcs.me,qcs_acme_beta,scim.me,uaa.user"​name: "MY FULL NAME"​qcs_id: "408948104691804416"​scope: "openid qcs.me uaa.user"​source: undefined​user_id: "408948104691804416"

  • UrsulaA
    UrsulaA Superuser ✭✭✭✭
    edited January 31

    To be clear, I am a user like you. I tried to find my name in Simplifi while logged in and could not find it in the console either. I found it 2 days ago but not today.

    Simplifi User Since Nov 2023

    Minter 2014-2023

    Questionable Excel before 2014 to present

  • RobertInSF
    RobertInSF Member
    edited January 31

    Hi,

    Well I am a programmer by trade - not a user, who wrote WEB APPLICATIONS.

    You cannot expose someone's email address to the CONSOLE along with their FULL NAME and think that passes any security audit. It's reckless and makes me wonder what other security holes are in Quicken Simplifi — even if the programmer did this by mistake, he/she should be written up - Q/A and any tools should have picked up on this when it was placed in production.

    It's reckless.

  • RobertInSF
    RobertInSF Member
    edited January 31

    IN FACT, NO DEBUG Statements should appear on a production application, especially one that works with a user's finances.

    Look for the: utils/intercom.js DEBUG:

  • chiphum
    chiphum Member

    😡 I found it too!!! Console must be set to Verbose on Chrome.

  • ajbopp
    ajbopp Member ✭✭✭✭

    @RobertInSF Just FYI, it is not helpful to try to make a point by putting it in all caps. Many people online interpret this as unnecessarily aggressive and/or condescending, and it is certainly not likely to increase the priority with which the underlying issue is addressed.

    That said, I only use mobile web browsers which typically don't have a console function, so I can't verify if I've seen it or not. But I do agree that it's unacceptable and should be changed quickly.

    Anthony Bopp
    Simplifi User Since July 2022
    Money talks. But all my paycheck ever says is goodbye

  • RobertInSF
    RobertInSF Member

    utils/intercom.js DEBUG:

    intercom identify:

    Object { user_id: "408948104691804416"

    dataset_id: "408948260584022785"

    email: "HERE"

    groups: "oauth.approvals

    name: "HERE

    qcs_id: "408948104691804416"

    scope: "openid qcs.me uaa.user"

    source: undefined

    user_id: "408948104691804416"

    <prototype>: Object { … }

  • RobertInSF
    RobertInSF Member

    utils/intercom.js DEBUG:
    intercom identify:

    dataset_id: "408948260584022785"​email: "MY EMAIL ADDRESS"​groups: "oauth.approvals,openid,password.write,qcs.me,qcs_acme_beta,scim.me,uaa.user"​name: "MY FULL NAME"​qcs_id: "408948104691804416"​scope: "openid qcs.me uaa.user"​source: undefined​user_id: "408948104691804416"

    The programmer who did this should be written up.

  • Coach Natalie
    Coach Natalie Administrator, Moderator admin

    @RobertInSF, thanks for posting to the Community regarding this issue!

    I'm personally not familiar with the browser consoles, what info can and will be included in them, or how much of a security risk it is. With that, I did go ahead and pass this along to our product team so they can take a closer look. I'll let you know if they need any further info from you.

    Thanks, again!

    -Coach Natalie

    -Coach Natalie

This discussion has been closed.