Why does the Simplifi webpage expose my full name and email address?
Why did the programmer at Simplifi expose my full name and my full email address to my browser console wit DEBUG statements??
ALL DEBUG INFORMATION should be REMOVED from production applications - this is a security hole and should be resolved immediately.
Just use your CONSOLE for your web-browser and you see your full name/email address fully exposed in readable text outside of any secured environment.
Comments
-
Interesting, can you redact your name and address and show were the information shows up? I looked in my web app following the steps above and I cannot see it. I am using Windows 11 and web app release 3.97 with Microsoft Edge Version 121.0.2277.83 (Official build) (64-bit).
Update: I found what you found on the web app when logged in. I searched for my name under console and it came up yesterday.
I tried again today and my name was not found. I launched dev tools by pressing F12 on Microsoft Edge Version 121.0.2277.83 (Official build) (64-bit) then searched for my name under console.
I wonder if this is related to the send feedback option Simplifi has to troubleshoot.
To compare, I logged in to the Wells Fargo site, went to the console and did not find my name.
Simplifi User Since Nov 2023
Minter 2014-2023
Questionable Excel before 2014 to present
-1 -
"To compare, I logged in to the Wells Fargo site, went to the console and did not find my name.To compare, I logged in to the Wells Fargo site, went to the console and did not find my name."
A DEBUG STATEMENT IS A CUSTOM STATEMENT DONE BY PROGRAMMERS. Has NOTHING AT ALL to do with another website.
Of course Wells Fargo didn't do this….no one does this.
0 -
To be clear, the PRODUCTION APPLICATION should NOT have a single debug statement in it - otherwise, it is careless programming. At a very minimum, the information being debugged should only be at super users, beta users, internal users. It should NEVER be left in a production application …that's just BASIC PROGRAMMING! It's a VERY careless bug done by Intuit programmers.
0 -
The problem is in: utils/intercom.js
There is a DEBUG statement to CONSOLE.
It exposes my FULL NAME and my FULL EMAIL ADDRESS in a NON SECURED WAY.
utils/intercom.js DEBUG:
intercom identify:dataset_id: "408948260584022785"email: "MY EMAIL"groups: "oauth.approvals,openid,password.write,qcs.me,qcs_acme_beta,scim.me,uaa.user"name: "MY FULL NAME"qcs_id: "408948104691804416"scope: "openid qcs.me uaa.user"source: undefineduser_id: "408948104691804416"
0 -
To be clear, I am a user like you. I tried to find my name in Simplifi while logged in and could not find it in the console either. I found it 2 days ago but not today.
Simplifi User Since Nov 2023
Minter 2014-2023
Questionable Excel before 2014 to present
0 -
Hi,
Well I am a programmer by trade - not a user, who wrote WEB APPLICATIONS.
You cannot expose someone's email address to the CONSOLE along with their FULL NAME and think that passes any security audit. It's reckless and makes me wonder what other security holes are in Quicken Simplifi — even if the programmer did this by mistake, he/she should be written up - Q/A and any tools should have picked up on this when it was placed in production.
It's reckless.
0 -
IN FACT, NO DEBUG Statements should appear on a production application, especially one that works with a user's finances.
Look for the: utils/intercom.js DEBUG:
0 -
😡 I found it too!!! Console must be set to Verbose on Chrome.
0 -
@RobertInSF Just FYI, it is not helpful to try to make a point by putting it in all caps. Many people online interpret this as unnecessarily aggressive and/or condescending, and it is certainly not likely to increase the priority with which the underlying issue is addressed.
That said, I only use mobile web browsers which typically don't have a console function, so I can't verify if I've seen it or not. But I do agree that it's unacceptable and should be changed quickly.
Anthony Bopp
Simplifi User Since July 2022Money talks. But all my paycheck ever says is goodbye
-2 -
utils/intercom.js DEBUG:
intercom identify:
Object { user_id: "408948104691804416"
dataset_id: "408948260584022785"
email: "HERE"
groups: "oauth.approvals
name: "HERE
qcs_id: "408948104691804416"
scope: "openid qcs.me uaa.user"
source: undefined
user_id: "408948104691804416"
<prototype>: Object { … }
1 -
utils/intercom.js DEBUG:
intercom identify:dataset_id: "408948260584022785"email: "MY EMAIL ADDRESS"groups: "oauth.approvals,openid,password.write,qcs.me,qcs_acme_beta,scim.me,uaa.user"name: "MY FULL NAME"qcs_id: "408948104691804416"scope: "openid qcs.me uaa.user"source: undefineduser_id: "408948104691804416"
The programmer who did this should be written up.
1 -
@RobertInSF, thanks for posting to the Community regarding this issue!
I'm personally not familiar with the browser consoles, what info can and will be included in them, or how much of a security risk it is. With that, I did go ahead and pass this along to our product team so they can take a closer look. I'll let you know if they need any further info from you.
Thanks, again!
-Coach Natalie
-Coach Natalie
2