Remove Store Subscriber Email as ID#1137
Draft
n7studios wants to merge 1 commit into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #1136 which required signed subscriber IDs for tag-restricted content.
Removes the
kit/v1/subscriber/store-email-as-id-in-cookieREST API endpoint and the related JS that called it on Kit Form submissions to store the submitted email address' subscriber ID as a cookie. The endpoint was flagged in the reported vulnerability as an unauthenticated identity lookup: an attacker knowing a subscriber's email could obtain their numeric subscriber ID and set theck_subscriber_idcookie without proof of email ownership.After #1136, that numeric ID can no longer be used to bypass gated content. However, it can still be used for:
An attacker able to forge a subscriber identity via this endpoint could therefore view another subscriber's personalised Custom Content, and self-add to any tag the creator uses for "Add a Tag on visit" (potentially triggering unintended automations).
Removing the endpoint eliminates this residual identity-forging vector while preserving the primary way numeric subscriber IDs are populated - via the
ck_subscriber_idURL parameter included in Kit email links. Creators using inline Kit forms without redirects will lose immediate personalisation on that same page view; personalisation continues to work on subsequent visits via email link.If removing this functionality causes creator issues, it can safely be reinstated. At this stage, preferring signed subscriber IDs wherever possible is the more defensible position.
Testing
Removed Integration tests that exercised the removed REST endpoint (RESTAPITest, RESTAPIRestrictContentTest) and the EndToEnd Cest (SubscriberEmailToIDOnFormSubmitCest) that verified the JS flow.
Checklist