Public Last Mile auto-fill vulnerability

Impact: On May 7 2015 we were made aware of a vulnerability in the Dynatrace Synthetic Monitoring Last Mile network. The vulnerability allows a user running the Last Mile peer to collect form-values (Autofill values) entered by some Firefox tests. While our Last Mile peer software deletes all cached information before/after a test the vulnerability exposed a way of copying cached information during test execution for longer running tests.

Dynatrace deployed a solution to this vulnerability on the evening of Saturday May 9 2015 (CMR-779). The fix prevents the Last Mile browser from caching any form-values during test execution and disables all screen shot mechanisms in the Public Last Mile.

Solution: The recommendation for running transactions on the Public Last Mile network is to monitoring accounts with limited/appropriate access for any Synthetic test script. Also, use the encryption feature in the Recorder for any “FormFill” script actions that enter website UserID and password information.

Get article updates or report security vulnerabilities

Dynatrace takes a proactive approach in communicating security vulnerability information to customers. Learn more about Dynatrace security and our security policy. To report a security issue, email security@dynatrace.com.

RSS feed Report issue