It came to our attention this morning that a security researcher found an account takeover vulnerability on our accounts system for https://dash.readme.io
by exploiting a bug in the way we sent out forgotten password request emails.
Using a crafted HTTP request, a malicious user was able to send multiple email addresses to the reset mechanism. This would trigger the password reset mechanism for the 1st account requested, whilst additionally sending the password reset email (including the reset URL) to the 2nd email account.
The bug arose from us not correctly validating input from the user, and multiple code libraries transparently allowing multiple email addresses to be passed through. We patched the issue this morning and are working out now if this vulnerability was used in the wild by anyone else apart from the security researcher.
Some things to note about the vulnerability:
- Only "local" ReadMe accounts were subject to this
- No SAML/SSO accounts were affected
We deployed a fix this morning at 11:03AM PST. If you suspect that anyone has accessed your account maliciously, please reset your password and notify us by emailing firstname.lastname@example.org
. We're currently searching for any impacted customers who may have been affected by this. You may receive additional correspondence from us related to this issue.
We have a bug bounty program at ReadMe. Security researchers are encouraged to reach out to us at email@example.com
with any bugs or issues that they find. As we've grown both the support and engineering teams at ReadMe, the responsibility for monitoring this email inbox has switched multiple times.
With the issue that we fixed this morning, it was reported to us multiple times and went completely unnoticed due to the sheer amount of spam emails we get to this inbox. We found out about this issue from one of our customers notifying us to a public disclosure blog post that they found online.
This is not acceptable and we take full responsibility for this getting missed. From now on, there will always be a dedicated engineer on call to check any security issues and correspond with security researchers to pay out appropriate bug bounties. This will lead to fixes being deployed in a timely manner, instead of being publicly disclosed whilst our application is still vulnerable.
We're in the process of contacting the person who found the bug to pay them handsomely for their efforts.
We highly recommend turning on Two Factor Authentication within your ReadMe account. Find out how to do that here: https://docs.readme.com/docs/two-factor-authentication