A-92%
Quality Score
2
Pages
20
Issues
8.2
Avg Confidence
8.0
Avg Priority
9 Critical9 High2 Medium
>_ Testers.AI
AI Analysis
Ykccn.Net was tested and 20 issues were detected across the site. The most critical finding was: PII-like identifiers exposed to a third-party health/telemetry endpoint. Issues span Security, Legal, A11y, Performance categories. Persona feedback rated Visual highest (8/10) and Accessibility lowest (5/10).
Qualitative Quality
Ykccn.Net
Category Avg
Best in Category
Pages Tested ยท 2 screenshots
Homepage
www.ykccn.net.OMP.customerManagementOverview
Detected Issues ยท 20 total
1
PII-like identifiers exposed to a third-party health/telemetry endpoint
CRIT P9
Prompt to Fix
In the health telemetry POST to arms-retcode.aliyuncs.com, remove or anonymize identifiers in the query string (uid, sid, pv_id, pid, etc.). Replace with nonce or hashed tokens; ensure data minimization; require explicit user consent for third-party telemetry; move sensitive processing server-side when possible; implement a toggle to disable third-party telemetry by default.
Why it's a bug
The request to arms-retcode.aliyuncs.com includes uid, sid, pv_id and other identifiers in the URL query string. This leaks user/session identifiers to a third-party service without clear user consent or minimization, constituting potential PII exposure and user tracking.
Why it might not be a bug
If these identifiers are strictly internal placeholders and never linked to real users or protected data, it could be argued they are not PII. However, given they are transmitted to a third party in a query string, this is almost certainly a privacy risk without explicit consent or data minimization.
Suggested Fix
Remove sensitive identifiers from client-side telemetry URLs. Replace with anonymized or hashed tokens, or shift to server-side logging. Implement user-consent gating for third-party telemetry and ensure data minimization in all outgoing requests.
Why Fix
Prevent potential privacy violations, reduce risk of user tracking across services, and align with data minimization principles and privacy laws.
Route To
Privacy Engineer / Security Engineer
Page
Tester
Pete ยท Privacy Networking Analyzer
Technical Evidence
Console:
"POST https://arms-retcode.aliyuncs.com/r.png?t=health×=1&page=www.ykccn.net%2Fomp%2Fcustomermanagementoverview&tag=&release=&environment=prod&begin=1774516424998&errcount=0&apisucc=0&apifail=0&healthy=1&stay=382&sr=800x600&vp=1920x1080&ct=4g&uid=ddm77ndO7ee9L09sbgmnkwpnCR42&sid=ypmwLnvy7379I59esgbwkInnF1F9&pid=gb7wlo91dj%4089b45e841156cac&_v=1.8.36-beta.1&pv_id=Cym2mnm97Ud9RO9q3g2Iad90wsOk&sampling=1&z=mn799g9z"Network:
POST https://arms-retcode.aliyuncs.com/r.png?t=health×=1 page=www.ykccn.net/omp/customermanagementoverview ... uid=ddm77ndO7ee9L09sbgmnkwpnCR42 & sid=ypmwLnvy7379I59esgbwkInnF1F9 & pv_id=Cym2mnm97Ud9RO9q3g2Iad90wsOk2
Unconsented third-party tracking and data sharing via Alibaba/AMAP analytics
CRIT P9
Prompt to Fix
Disable or defer loading of third-party analytics scripts (rum.aliyuncs.com, amap logs) until explicit user consent is obtained. Remove or minimize data sent (avoid device fingerprinting fields, viewport/screen data, and user identifiers). If consent is given, ensure a privacy-friendly data schema and disclose usage in the privacy policy; route analytics to a first-party endpoint with strict data minimization.
Why it's a bug
Multiple requests load third-party analytics/tracking assets (sdk.rum.aliyuncs.com/v1/bl.js, amas/AMap related calls, etc.). These can collect device characteristics, viewport, and interaction data across sites. Without explicit user consent or appropriate privacy disclosures, this constitutes cross-site tracking and data sharing with third parties.
Why it might not be a bug
If an explicit, user-facing consent mechanism and privacy policy disclosures are in place, this could be acceptable. In the absence of clear consent signals in the observed traffic, this should be treated as a privacy defect.
Suggested Fix
Implement consent gating for all third-party analytics scripts (e.g., only load after user opt-in). Prefer first-party analytics with minimized data collection. Remove unnecessary device/viewport data from outgoing requests. Provide clear privacy notices and allow easy opt-out.
Why Fix
Prevents cross-site tracking, strengthens user privacy protections, and aligns with privacy regulations (e.g., GDPR/CCPA). Improves user trust and reduces risk of regulatory penalties.
Route To
Privacy Engineer / Frontend Security Engineer
Page
Tester
Pete ยท Privacy Networking Analyzer
Technical Evidence
Console:
"GET https://sdk.rum.aliyuncs.com/v1/bl.js - Status: 200"Network:
GET https://sdk.rum.aliyuncs.com/v1/bl.js with tracking/telemetry payloads; GET https://restapi.amap.com/v3/log/init?... &appname=https%3A%2F%2Fwww.ykccn.net%2FOMP%2FcustomerManagementOverview3
API key exposed in URL query parameters (Amap API key)
CRIT P9
Prompt to Fix
In the frontend code that requests Amap services, replace direct inclusion of the API key in URLs with a backend-proxied request or implement a strictly restricted API key. Ensure the key is not exposed in client-side code or browser history. Implement origin/domain restrictions on the API key, log redaction, and rotate keys periodically. Example prompt for AI: 'Refactor frontend to call /api/amap/maps via our backend, remove direct key from frontend URLs, enforce referer/domain restrictions and rate limits, and implement server-side key rotation.'
Why it's a bug
The API key 4228f68e6a71cad62f043e1c7d72b6c6 is being transmitted in URL query parameters to Amap services (webapi.amap.com/maps and restapi.amap.com/log/init). Keys in URLs can be captured in browser history, server logs, analytics, and referer headers, enabling unauthorized usage, misuse, or cost accrual if leaked.
Why it might not be a bug
Public frontend integrations often require client-side keys; however best practice is to restrict keys to allowed origins and implement server-side proxying or signed requests to avoid exposing keys in URLs.
Suggested Fix
Move API calls behind a backend proxy or environment that injects the key server-side; use restricted, domain- or IP-restricted API keys; enforce usage quotas and monitoring; consider using token exchange or short-lived signed URLs; apply strict CSP/log redaction.
Why Fix
Reduces risk of key leakage, abuse, and unintended charges by preventing exposure of credentials in client-facing requests.
Route To
Frontend Security Engineer / Platform Engineer
Page
Tester
Sharon ยท Security Networking Analyzer
Technical Evidence
Console:
Query parameter 'key' visible in URL for Amap map/log calls; example: https://webapi.amap.com/maps?v=2.0&key=4228f68e6a71cad62f043e1c7d72b6c6&plugin=AMap.GeocoderNetwork:
GET https://webapi.amap.com/maps?v=2.0&key=4228f68e6a71cad62f043e1c7d72b6c6&plugin=AMap.Geocoder - Status: 200; and GET https://restapi.amap.com/v3/log/init?...&key=4228f68e6a71cad62f043e1c7d72b6c6&...