Page MenuHomeMy privacy DNS

glassbox.aircanada.ca
Closed, ResolvedPublic

Description

It has come to the daylight that several companies is recording and storing your credit card, username and password information without your knowledge or acceptance of this..

is include, but not limited to

  • aircanada.ca
  • glassboxdigital.io

By such huge leaks we simply have to block such bastard from the root domain level and up.

The following domains blocked by this ticket will be:

  • glassboxdigital.io
  • glassboxdigital.com
  • aircanada.ca
  • hotels.com
  • aisinsurance.com
  • usaa.com
  • bex.com

You can read more on this topic at:

  1. App Analysis: Air Canada on the theappanalyst.com
  2. Big-name travel apps may secretly record your iPhone screen, including credit card info on The Verge

We have by digging into one of the scripts in usaa.com. Those fellas don't joke around:

`{window._cls_config={reportURI:"https://report.usaa.glassboxdigital.io/glassbox/reporting/FFC3F0D4 2F0C-2A18-F1B3-53935466C866/cls_report",recordMouseMoves:true,recordScrolls:true,idleEventTimeInterval:-1,maskList:["usaaNum"],interceptAjax:false,iframesAutoInject:false};}else`

Furthermore by going a big deeper on aircanada.com reveals that they use a number of generic domain to fetch the script:
https://www.aircanada.com/content/dam/aircanada/portal/framework/glassbox/detector-dom.min.js

you can find the unaltered detector-dom.min.js script at our bitbucket.org

Event Timeline