Customer.io Track Encoded Keys
ID |
customerio_track_encoded_keys |
Severity |
high |
Vendor |
Customer.io |
Family |
API Token |
Description
Customer.io is an automated messaging platform who gives more control and flexibility to craft and send data-driven emails, push notifications, in-app messages, and SMS.
The behavioral tracking API lets you send us data about customers and events representing their activity, so you can identify and track customers with Customer.io. Use this API to add people, set their attributes, and attribute events to them.
Security
Any hardcoded Customer.io API Key is a potential secret reported by this detector.
Accidentally checking-in the key to source control repositories could compromise your Customer.io account.
Examples
CUSTOMERIO-SITE-ID=pkc5ycnph2dejgdjvexc CUSTOMERIO-API-KEY=kwv3n89bcc9hvgsnayeu
CUSTOMERIO-TRACK-API-ENCODED_KEY=F3nP5mFwT3GByJrebHHejcTszDtDTKr8Q9VBXArejI438QwT9KHVAFMH
Mitigation / Fix
-
Remove the
API Keyfrom the source code or committed configuration file. -
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). API Key revocation can be handled from your dashboard.
-
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |