Nov 29, 2021 7:42 pm
I have unfortunately upsetting news today. Last Friday, Adam found a security hole in the GP code that could leak user profile data. Among those, the most security concerning are hashed passwords, email addresses, and date of birth. This data was available through an API call which any logged in user could pull. Thankfully, there are no indications that this loophole has ever been exploited. Had someone found this issue before, we would have seen numerous attempts to get information from a single source; besides my own IPs, I couldn't find anything.
Adam made a patch to fix the issue, which has been implemented. So what does this mean for you: best as I can tell, no private information has been accessed, but it's impossible for me to know for sure. The passwords that were accessible were both hashed via a very strong hashing algorithm, and salted; it would be extremely difficult for anyone to reverse engineer raw passwords if they did get their hands on any info. If you reuse your passwords on multiple sites, I recommend getting a strong password manager (I use LastPass, there are many others) and resetting your GP password.
Adam's fix has already started the process of making the code more secure. Today, I will be looking into a new password hashing method that should be even more difficult to break. I will also be building a new mechanism to reset passwords that makes it less likely to be abused, as well as a mechanism to force users to change their passwords. I will be doing a full, top down review of the code to see if there are any other major vulnerabilities.
I'm so very sorry this happened. I have no excuse; something slipped past me. I'm glad to be able to say with relative certainty that no information was leaked, but again, it's impossible for me to be sure. I'll do my best to make sure there are no other issues, and I hope that now, working with Adam as a co-developer on GP, nothing like this will happen again.
Adam made a patch to fix the issue, which has been implemented. So what does this mean for you: best as I can tell, no private information has been accessed, but it's impossible for me to know for sure. The passwords that were accessible were both hashed via a very strong hashing algorithm, and salted; it would be extremely difficult for anyone to reverse engineer raw passwords if they did get their hands on any info. If you reuse your passwords on multiple sites, I recommend getting a strong password manager (I use LastPass, there are many others) and resetting your GP password.
Adam's fix has already started the process of making the code more secure. Today, I will be looking into a new password hashing method that should be even more difficult to break. I will also be building a new mechanism to reset passwords that makes it less likely to be abused, as well as a mechanism to force users to change their passwords. I will be doing a full, top down review of the code to see if there are any other major vulnerabilities.
I'm so very sorry this happened. I have no excuse; something slipped past me. I'm glad to be able to say with relative certainty that no information was leaked, but again, it's impossible for me to be sure. I'll do my best to make sure there are no other issues, and I hope that now, working with Adam as a co-developer on GP, nothing like this will happen again.
