0

Our company works with affiliates that promote our products. They get paid based on how many sales they bring to us.

To track conversions, they ask us to put third party tracking pixels on our "thank you" page (final page where our customer is being redirected after payment through third party billing processor is complete).

So, we ended up with a ton of tracking JS code and hidden iframes on our "thank you" page.

Is it safe?
The billing processor sends sensitive data to this page via GET variables that we'd rather not make accessible to the affiliates.

Or maybe there is a better way to do this? Like, store all the tracking code from our affiliates in a database and only load the one that matches the customer's referral?

UPDATE

I'm worried about "third party tracking pixels" that are not from the "trusted" third parties (Like Google, Yahoo) but custom-made by our affiliates.

rinchik
  • 2,642
  • 8
  • 29
  • 46
  • Which billing processor is this? they should really be posting sensitive data separate from the user and reading a not-so-sensitive session ID (which is not quite as bad as say, a card number...) from GET or a cookie... – Amelia Oct 19 '12 at 15:23
  • We work with ClickBank. They don't send credit card numbers via GET. I'm worried about emails, receipts, transaction amounts. Potentially one tracking code could collect all this and generate a reports about our revenues. Which is really not good :o))) – rinchik Oct 19 '12 at 15:28
  • see: http://stackoverflow.com/questions/2157396/how-do-you-get-the-url-referer-via-a-javascript-include – Amelia Oct 19 '12 at 16:10

1 Answers1

1

You do not have to worry about affiliates. Usually such solutions only talk to your partner and gets distributed on that end.

As for GET parameters or page content, just read the JavaScript code and see how it behaves. If it doesn't eval some response and doesn't touch DOM elements and cookies you're fine. And I really see no reason why they would need to do that. But if the partner seems untrustworthy, why deal with them at all?

Note that if you request a static resource, as an image, only cookies set by image's location domain are being sent. To see what's going on your page use Firebug or Chrome Developer Tools and check what request headers are being sent.

Mirko Adari
  • 5,083
  • 1
  • 15
  • 23
  • 1
    I'm not worried about affiliates. I'm worried about the data they are not supposed to get, but might be getting. – rinchik Oct 19 '12 at 15:15
  • Maybe show some code samples that you are suspicious of? As a philosophical topic this is the best advise I can give you :) – Mirko Adari Oct 19 '12 at 15:17
  • I'm actively working on JS ones. But what about pixel images? Is it possible to get all GET requests through them? – rinchik Oct 19 '12 at 15:17
  • 1
    I prefer to do not call them "partners", it worth dealing with them because they bring a lot of sales. It's all about money :). – rinchik Oct 19 '12 at 15:21