Solved

Sensitive Data in Transit

  • 28 February 2020
  • 1 reply
  • 79 views

Our company has enlisted a 3rd party security firm to perform an assessment of our applications. The firm, BitSight Technologies, flagged one of our mobile apps because of a Mixpanel API call that is sending the distinct_ID in the querystring and HTTP body. What alternative exists so that value is not exposed?

 

Feedback from firm

Sensitive Data in Transit (with encryption)
One or more sensitive values were intercepted in transit. This is a high-risk vulnerability as it is possible for an attacker on the same network to easily retrieve this information.

 

icon

Best answer by stephanie 2 March 2020, 18:39

Hi @BarnettJ,

 

When you send in event data via the HTTP spec, there is an encryption level that is required via base64 to keep it secure. To read more on the HTTP spec you can take a look here https://developer.mixpanel.com/docs/http#section-tracking-events

As an alternative, you can use a server-side library to send events to Mixpanel if you do not want to use our HTTP spec. 

 

Hope this helps!

View original

1 reply

Userlevel 5
Badge +4

Hi @BarnettJ,

 

When you send in event data via the HTTP spec, there is an encryption level that is required via base64 to keep it secure. To read more on the HTTP spec you can take a look here https://developer.mixpanel.com/docs/http#section-tracking-events

As an alternative, you can use a server-side library to send events to Mixpanel if you do not want to use our HTTP spec. 

 

Hope this helps!

Reply