Ehsan here, from the Support Team. I wanted to commend our Engineers for their swift action today, and also take responsibility for not bringing this to their attention sooner. Security concerns will now be handled directly by Engineering.
1. Who was affected? After a thorough investigation we concluded that six customers were potentially compromised. We've reached out to them to share the details of our findings and to correct any malicious tampering if found.
2. How long has this been an issue? The issue was first reported to us 2 months ago. Our Engineering team took immediate action when they were made aware of it this morning.
3. Why wasn't this fixed sooner? The Support Team failed to identify & escalate this qualifying vulnerability in a timely manner.
4. How will you prevent this from happening in the future? Every security concern will be promptly reviewed by an Engineer to prevent delayed action on critical vulnerabilities.
It came to our attention this morning that a security researcher found an account takeover vulnerability on our accounts system for https://dash.readme.io by exploiting a bug in the way we sent out forgotten password request emails.
Using a crafted HTTP request, a malicious user was able to send multiple email addresses to the reset mechanism. This would trigger the password reset mechanism for the 1st account requested, whilst additionally sending the password reset email (including the reset URL) to the 2nd email account.
The bug arose from us not correctly validating input from the user, and multiple code libraries transparently allowing multiple email addresses to be passed through. We patched the issue this morning and are working out now if this vulnerability was used in the wild by anyone else apart from the security researcher.
Some things to note about the vulnerability: - Only "local" ReadMe accounts were subject to this - No SAML/SSO accounts were affected
We deployed a fix this morning at 11:03AM PST. If you suspect that anyone has accessed your account maliciously, please reset your password and notify us by emailing support@readme.io. We're currently searching for any impacted customers who may have been affected by this. You may receive additional correspondence from us related to this issue.
-------------------------
We have a bug bounty program at ReadMe. Security researchers are encouraged to reach out to us at security@readme.io with any bugs or issues that they find. As we've grown both the support and engineering teams at ReadMe, the responsibility for monitoring this email inbox has switched multiple times.
With the issue that we fixed this morning, it was reported to us multiple times and went completely unnoticed due to the sheer amount of spam emails we get to this inbox. We found out about this issue from one of our customers notifying us to a public disclosure blog post that they found online.
This is not acceptable and we take full responsibility for this getting missed. From now on, there will always be a dedicated engineer on call to check any security issues and correspond with security researchers to pay out appropriate bug bounties. This will lead to fixes being deployed in a timely manner, instead of being publicly disclosed whilst our application is still vulnerable.
We're in the process of contacting the person who found the bug to pay them handsomely for their efforts. We highly recommend turning on Two Factor Authentication within your ReadMe account. Find out how to do that here: https://docs.readme.com/docs/two-factor-authentication.