HubDoc Harvests Your Logins
HubDoc harvests your logins so it can provide you (the business owner) or the account data aggregation and extraction services. But at what cost?
HubDoc markets itself as a service which gets your key financial docs in one place. Their privacy page is flawless showcasing a company that follows all best practices. But as any adult has learnt, saying and doing sometimes can be worlds apart. Let's unpack this.
If you haven't used HubDoc yet then you are safe.
If you used HubDoc for yourself or your clients (as a bookkeeper or accountant) then I will pray for you that your client doesn't find out you gave away their logins to a 3rd party that stores it in plain text to allow a human labor force (they employ) to do it's magic, data extraction.
1. Signup to HubDoc: https://app.hubdoc.com/signup
2. From the Top Menu press "Add Account". You should see this:
3. Choose any of the ~700 listed services and then enter bogus username and password.
4. You will see a screen like this asking you to provide your username and password.
The "Security notice" is a bloody joke. HubDoc is lying. They should be using oAuth to pop open in this case American Express website and YOU then login on Amex website. NOT HubDoc. Amex would then send a security token back to HubDoc to say you are logged in and would exchange the data HubDoc claims to "Read Only".
Again: DO NOT GIVE YOUR LOGINS TO HUBDOC.
5. Here's proof my logins (fake in this example) as going to HubDoc and NOT Amex.
You really have to ask yourself WHY. Why is HubDoc collecting login credentials?
6. Be careful.
If your accountant or bookkeeper has told you to use HubDoc, then fire them. They are clueless and have little to 0 care about your data privacy. There is no second chances after your login credentials have been compromised.
Hope this was helpful in protecting your data privacy and creating a more secure world using technology.
HubDoc markets itself as a service which gets your key financial docs in one place. Their privacy page is flawless showcasing a company that follows all best practices. But as any adult has learnt, saying and doing sometimes can be worlds apart. Let's unpack this.
Say goodbye to chasing documents & data entry.
And say hello to data harvesting at it's best.If you haven't used HubDoc yet then you are safe.
If you used HubDoc for yourself or your clients (as a bookkeeper or accountant) then I will pray for you that your client doesn't find out you gave away their logins to a 3rd party that stores it in plain text to allow a human labor force (they employ) to do it's magic, data extraction.
The magic exposed
Using the developer console I will show you HubDoc's dirty secret.
Note on my inspection tool (developer console)
The bottom part of the screenshot is my browser's developer console. This is something all modern internet browsers have built-in. It allows me to see what data is exchanged between my browser and the website. Not rocket science. Just a swiss army knife you can use as well. I am using a browser called Brave because in my opinion it is the fastest and safest browser in 2020.How to open developer console
To open the developer console window on Chrome, use the keyboard shortcut Ctrl Shift J (on Windows) or Ctrl Option J (on Mac). Alternatively, you can use the Chrome menu in the browser window, select the option "More Tools," and then select "Developer Tools."Step by Step using your browser
2. From the Top Menu press "Add Account". You should see this:
3. Choose any of the ~700 listed services and then enter bogus username and password.
4. You will see a screen like this asking you to provide your username and password.
The "Security notice" is a bloody joke. HubDoc is lying. They should be using oAuth to pop open in this case American Express website and YOU then login on Amex website. NOT HubDoc. Amex would then send a security token back to HubDoc to say you are logged in and would exchange the data HubDoc claims to "Read Only".
Again: DO NOT GIVE YOUR LOGINS TO HUBDOC.
5. Here's proof my logins (fake in this example) as going to HubDoc and NOT Amex.
You really have to ask yourself WHY. Why is HubDoc collecting login credentials?
6. Be careful.
If your accountant or bookkeeper has told you to use HubDoc, then fire them. They are clueless and have little to 0 care about your data privacy. There is no second chances after your login credentials have been compromised.
Hope this was helpful in protecting your data privacy and creating a more secure world using technology.
Did you know?
- HubDoc is owned by Xero cloud accounting software. Xero paid $70 million smackaroos for this and are a proud parent as of 2018.
- Xero is also known to cut corners and use humans to do data extraction from receipts via their expense app.
If anything is misleading in this post then please let me know so I can correct it.
Comments
Post a Comment