Debrief of a major security issue
Yesterday a security issue about the login feature of the website has been found, here is a little recap of what happened.
Running a project with thousands of users is not easy to handle daily.
Yesterday around 5 PM by email, and later around 8 PM on Twitter, David Albert (@Garkolym) reported us a major security issue that could be exploited by logging in with the Twitch OAuth 2 protocol.
An attacker could easily steal another existing user account if he knew the victim's email address.
We had to take again a look to our login procedure to verify the existence and fix the vulnerability that we were told.
At 11:20 PM a security patch has been applied on production.
What a first week-end evening !
The website is now running v3.3.1, but it appears we didn't announce you the v3.3.0 changes :
- New image upload user experience : You'll now be able to crop and resize your photos !
- GDPR : A link on your profile edition has appeared to retrieve your personal data JSON-formatted.
- The Home and Recent Setups pages are now supposed to load significantly faster.
Thanks again to David Albert for his ethic and the closed disclosure.
EDIT 10/07/18 : After a retrospective analysis of the vulnerability, it appeared less than 15% of our users were effectively affected.
Published on 7 Jul 2018, 07:45 (GMT) by Samuel FORESTIER