Pendo debugging is any Joe Shmoe to anyone in production
It would seem that anyone is able to go to a site that utilizes pendo and initialize `pendo.enableDebugging()`
Is there any way to lock this down so people can't do it in production env's?
0
コメント
Hi James, the Pendo debugger tool is a handy tool used to troubleshoot and debug guides. It looks like access to the tool is not limited to users. I'm happy to pass this feedback on to our product teams but I'd like to collect additional information so they can act on it. Do you have reasons for locking down access to the tool? For example, is there any information you don't want general users to see in the debugger tool? Thanks!
I'm not sure what information would/could be utilized as an attack vector. I didn't notice anything when I was looking, but I did notice I could access it. I suppose I would leave that up to the sec/dev teams.
サインインしてコメントを残してください。