hbarrett
commented
3 years ago I am not sure I understand. Can you give some examples explaining the issue? Thanks.
Open karlbenedict opened 4 years ago
hbarrett
commented
3 years ago I am not sure I understand. Can you give some examples explaining the issue? Thanks.
karlbenedict
commented
3 years ago We had discussing having a route that would allow us to capture clicks (as timestamps in the resource metadata) on outgoing links from the Clearinghouse to collect information on which resource access links are getting clicked by users. Essentially this is to be able to capture metrics on which resources are getting more "action" in terms of triggering users to visit the resource content (i.e. the training materials themselves).
Thinking about this further I realized that these API calls would be coming from unauthenticated users, and could provide a vector for malicious users to attack the system. I wanted to get this potential on our radar so that we might consider a way to mitigate this risk.
hbarrett
commented
3 years ago I will audit all routes that do not require a login for abuse.
As aspects of the timestamp updating (e.g. outgoing link "pings") are through non-authenticated submissions set up queueing/filtering in submission process to handle erroneous/malicious submissions.