The Community is hosting an End of Summer sweepstakes! Participants must complete tasks to earn tickets that will enter them with a chance to win a free year of Constant Contact and other great prizes!*
*No Purchase Necessary. For Official Rules, visit here. Constant Contact’s End of Summer 2020 Sweepstakes ends on October, 20, 2020 at 11:50 PM EST.

Security Issue with using CC Account Password for Third Party Integration

Highlighted
Occasional Participant

Security Issue with using CC Account Password for Third Party Integration

We are a third party provider. Our customers use the wireless Wi-Fi device we provide to collect Email Signup's at their place of business.


We use the CC API to add the new contacts directly into our customer's account. There are no issues with any of the integration.


However, we being a 3rd party provider, should not be asking our customer's for their CC account/password to be able to use the API Integration. This causes a serious security issue, both for us and our customers (particularly big ones). Why can't we have a separate password for API access? With this password, you cannot login to the CC account using Web, but only be used with API. Also, have the ability to assign a distinct password for each "Developer API Key". This will not only enhance security from CC customer perspective, but also gives them total control of when to shutdown a particular external provider application. This will also get us (as 3rd party app provider) out of the bind if customer account ever gets compromised, as the passwords are different and culprit source can be clearly identified.


Thanks

2 REPLIES 2
Highlighted
Moderator

Hi Subba,   I'll forward your

Hi Subba,


 


I'll forward your feedback on to our Product Management team.  We have had previous feedback for multiple logins or mutliple access levels on an account and I believe that may be a better solution.  We are unlikely to be able to allow a single customer to turn off an API Key as many of our developers have their API Keys and integrations used by 10s or 100s of accounts.

Dave Berard
Senior Product Manager, Constant Contact
Highlighted
Occasional Participant

Dave, Thanks for the reply.

Dave,


Thanks for the reply. As long as you have a mechanism in place where the customer doesn't have to share their web account password, it will resolve the immediate security concerns. It also solves related issue of customer's changing their passwords without knowing there are 3rd party applications using it. If the passwords are different, there are minimal chances of running into this issue.


Appreciate you looking into this.


Thanks


-Subba


Sterizon LLC

Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Constant Contact 2020 End of Summer Community Sweepstakes!

The Constant Contact User Community is hosting a sweepstakes. The more you participate, the more chances you have to win! Read on to learn more...

Read More
Featured