Crazy Egg Analytics Breach Report
Below is my step-by-step experience exposing a significant security breach on the Crazy Egg analytics application, by doing nothing more than trying to use their service in exactly the method they provide. This is a breach report with reproduction steps. I’m making this report public because when I reported this to them privately, they responded that “there is no security breach or vulnerability here”, which is quite clearly incorrect.
The Story
I received an invitation from a client to join their Crazy Egg web analytics account. I accepted the invitation and was able to see their heatmaps, which is quite valuable for UX work. I’ve been looking at Crazy Egg as a heatmaps provider for awhile and after seeing it first-hand, decided I wanted to move forward with getting their heatmaps on my own web apps.
Unfortunately, I couldn’t find a way to do this from the account I had just created. I couldn’t find any option to add my own products/teams to the account, and I couldn’t find any documentation on this. In order to setup my own account I needed a fresh email, so I changed my current account to a client-specific alias email (e.g. me+client@domain.com) and then logged out.
I then completed my own signup under my main email address (which I was now able to since that email was no longer “taken”), entered a domain, selected a plan, and entered my payment information.
However I was then taken to the portal logged in to my Client’s account as an OWNER (not just owner permissions, but actually impersonating an owner account). This was literally someone else’s account, and their email address and access level. I was able to verify that my own account only had Admin permissions (not owner), and while impersonating I could see every user, setting, and payment information on the account.
There were a few things that really got my attention at this point:
1. I’m acting as a different user
2. My permissions have been escalated
3. While the person whose account I was given access to had their correct email listed, their name had been replaced with mine
4. The client’s payment information had been replaced with MY payment information
So obviously the first thing I tried to do is delete MY payment information from their account, but I couldn’t. Like so many other poorly-designed SaaS products, it’s impossible to delete the last payment method on an account.
At this point I should have taken a few screenshots, but completely spaced this in my concern for what was going on. At this point I logged out, then tried to log back in to the new account I had just created. I wasn’t able to — it told me the account didn’t exist and tried to walk me back through the account setup process. So I bailed on that and opened a private browsing window. I then logged in using my client-specific email account and was back into their account with my normal permissions, however my own domain (that I had attempted to add during my account setup) had been added to their account. Since I was an Admin I was able to remove that data.
The next step was to write up the report and send it to my client, so they could remove my payment information and also be aware that their account had been compromised. I also forwarded the report to Crazy Egg, with the following summary.
To summarize the security issues I encountered on this brief journey:
1. I accidentally gained owner level access to another team’s account as another person
2. My own payment information ended up attached to their account (instead of mine)
3. My own domains ended up attached to the wrong account
4. Data leaked between logins / accountsPlease treat this as an official notification of security breach and both confirm receipt promptly and let me know that you are addressing these issues.
Unfortunately, this was the response I received from Crazy Egg:
This not only dismisses the existence and severity of their security issues, but is poor customer service. Please beware of using Crazy Egg’s services, and if you have any influence with them please ask them to fix this issue.
