Category: Data

by This week, we take a look at how Twitter API erroneously allowed browsers to cache sensitive data, and how skimmers have found a way to use Google Analytics APIs to get their hands on credit card data.

The header cache-control:no-store had not been set on the API, which meant that the data that this API returned to the web page was stored in the browser cache.

This is the first leg of the journey: attackers still need a way to ship that stolen data to their servers, and lots of sites are using Content Security Policy (CSP) to prevent that.

This is a cautionary tale to keep in mind whenever a multitenant 3rd-party API is in use.

Related Articles