Our devs have question on Adobe Launch Tag Management script as to what are the chances of bad actor hijacking the script and what kind of skills/tools which hackers can use to hack the script?
How can we detect hijacking so we can disable a user's access?..
Solved! Go to Solution.
Your Adobe Launch access should already be restricted to just people who need to be in there... not everyone with Analytics access should be added to Launch.
I suppose the risk of someone gaining access to the Launch Property would be the same as any system... if someone's credentials are hacked, someone could in theory have access to make malicious updates.
I don't know if the script itself could be hijacked.. but again, that risk would be the same as any other third party script I suppose...
If someone unauthorized did get access to someone's password, the same steps would be taken as any other site... go into the admin panel, remove access to launch (and any other Adobe products on the account), check the user's machine for malware or try to identify how their credentials were obtained, seal that up, change the password, re-grant them access.
Luckily there are logs and revision histories on the rules and data elements etc... if you are using the Adobe Servers to host the files and have , there is an option to turn on archives, which allow you to republish (up to 3) I think deployments back...
If you are self-hosting, I think you just have to create a build with your previous rule and element revisions and re-deploy. (archive doesn't seem to work for self-hosted.. at least not for us).
I don't know how you would detect issues or malicious changes... I think you would just have to monitor the deployments.
Or you could create a "deployment landing zone". Have the Launch deployments go to a separate server, then have a job that needs to be manually run to copy those files into your production site... this would require your devops team to have some manual steps for the process, but then, only properly requested changes would make it to your production site.
Your Adobe Launch access should already be restricted to just people who need to be in there... not everyone with Analytics access should be added to Launch.
I suppose the risk of someone gaining access to the Launch Property would be the same as any system... if someone's credentials are hacked, someone could in theory have access to make malicious updates.
I don't know if the script itself could be hijacked.. but again, that risk would be the same as any other third party script I suppose...
If someone unauthorized did get access to someone's password, the same steps would be taken as any other site... go into the admin panel, remove access to launch (and any other Adobe products on the account), check the user's machine for malware or try to identify how their credentials were obtained, seal that up, change the password, re-grant them access.
Luckily there are logs and revision histories on the rules and data elements etc... if you are using the Adobe Servers to host the files and have , there is an option to turn on archives, which allow you to republish (up to 3) I think deployments back...
If you are self-hosting, I think you just have to create a build with your previous rule and element revisions and re-deploy. (archive doesn't seem to work for self-hosted.. at least not for us).
I don't know how you would detect issues or malicious changes... I think you would just have to monitor the deployments.
Or you could create a "deployment landing zone". Have the Launch deployments go to a separate server, then have a job that needs to be manually run to copy those files into your production site... this would require your devops team to have some manual steps for the process, but then, only properly requested changes would make it to your production site.
Thank you for the detailed response! Appreciate it. I will pass it along to our devs.
Views
Replies
Total Likes
As mentioned above Adobe Launch access is restricted so this should fix/solveany security issues regarding access. Having said this there are several other security aspect that your team needs to be aware of:
Extensions
When you install an extension you might thing that they are "safe" meaning that Adobe done all the necessary check to validate no malicious code will be injected. Well this is not true.
The "public" extensions are being reviewed by Adobe when they are submitted for public use but when I queried with Adobe they confirmed that they will check it that it does not break Adobe Launch when installed and that all of the settings are correct but in terms of the views code and the javascript bundled in Adobe Launch main library or delivered via adobe launch are not vetted.
This opens to several kind of issues:
SOLUTION:
Custom Code
In most tagging implementation your tagging team will use custom javascript code to achieve specific tagging requirements. It can be that the tagger is not knowledgeable enough with JavaScript and will seek the code to achieve the functionality on the internet and will just copy paste this. So the rule is that any custom code should follow your coding standards, should be refactored and not copy pasted and should be peer reviewed prior being released.
Views
Replies
Total Likes
Views
Likes
Replies