We lately mounted a safety vulnerability whereby an attacker might add executable content material to our media storage domains.
On thirteenth November 2022, a safety researcher notified us of a cross-site scripting (XSS) vulnerability affecting our media storage domains. This XSS vulnerability made it potential for attackers to add content material to our storage domains that might then be shared as hyperlinks to be used in ‘phishing’ or different assaults.
We mounted the vulnerability on the morning of the fifteenth November 2022 by blocking script entry to the API from the impacted domains making certain any malicious code failed to realize entry to authenticated non-public knowledge. This remedial motion was adopted by a one other repair on the sixteenth November that deployed block guidelines on our Content material Distribution Community (CDN) supplier to forestall malicious useful resource hyperlinks being served to customers. As well as, on the eighth of December we deployed a change to the API to solely enable non-malicious information to be uploaded to those storage domains.
The mitigation and repair steps described above allowed us time to analysis the issue and audit our storage programs for any reside exploits. After this audit we decided that this vulnerability had not been exploited for any malicious function; no knowledge was leaked and no customers have been uncovered to injected code.
We’d prefer to thank Michal Biesiada (https://github.com/mbiesiad) for bringing this problem to our consideration and for following accountable disclosure by reporting it to us in non-public, as requested on our safety web page.