Customer.io Track Keys

ID

customerio_track_keys

Severity

high

Vendor

Customer.io

Family

API Token

Description

Customer.io is an automated messaging platform who gives more control and flexibility to craft and send data-driven emails, push notifications, in-app messages, and SMS.

The behavioral tracking API lets you send us data about customers and events representing their activity, so you can identify and track customers with Customer.io. Use this API to add people, set their attributes, and attribute events to them.

Security

Any hardcoded Customer.io API Key is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Customer.io account.

Examples

CUSTOMERIO-SITE-ID=pkc5ycnph2dejgdjvexc
CUSTOMERIO-API-KEY=kwv3n89bcc9hvgsnayeu
CUSTOMERIO-TRACK-API-ENCODED_KEY=F3nP5mFwT3GByJrebHHejcTszDtDTKr8Q9VBXArejI438QwT9KHVAFMH

Mitigation / Fix

  1. Remove the API Key from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). API Key revocation can be handled from your dashboard.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://customer.io/docs/api/#section/Overview