Debrief of a major security issue

Debrief of a major security issue

Yesterday a security issue about the login feature of the website has been found, here is a little recap of what happened.

Running a project with thousands of users is not easy to handle daily.

Yesterday around 5 PM by email, and later around 8 PM on Twitter, David Albert (@Garkolym) reported us a major security issue that could be exploited by logging in with the Twitch OAuth 2 protocol.

An attacker could easily steal another existing user account if he knew the victim's email address.

We had to take again a look to our login procedure to verify the existence and fix the vulnerability that we were told.

At 11:20 PM a security patch has been applied on production.

What a first week-end evening !


The website is now running v3.3.1, but it appears we didn't announce you the v3.3.0 changes :

  • New image upload user experience : You'll now be able to crop and resize your photos !
  • GDPR : A link on your profile edition has appeared to retrieve your personal data JSON-formatted.
  • The Home and Recent Setups pages are now supposed to load significantly faster.


Thanks again to David Albert for his ethic and the closed disclosure.

The HeadStaff

Photo by Hugo Jehanne on Unsplash


EDIT 10/07/18 : After a retrospective analysis of the vulnerability, it appeared less than 15% of our users were effectively affected.


Published on 7 Jul 2018, 07:45 (GMT) by Samuel FORESTIER