December | 2018 | Zooniverse

We recently fixed a security vulnerability that existed in the external/social links (e.g. to Twitter) of projects. Prior to this fix, it was possible for project owners to do two things: 1. create external links that ran malicious JavaScript code if they were clicked (e.g. allowing attackers to capture a user’s login session), and 2. create a link to a malicious website disguised as a “legitimate” link to a known Social website (e.g. a Twitter link that actually directed users to the spoof website “twiitteerrer.com”). Our patches fix both issues, and a follow up investigation revealed that there is no indication this vulnerability was exploited by anyone.

The security issue was discovered on 11 Dec 2018 during an internal security check. The first patch in the series (addressing the major JavaScript injection vulnerability) was deployed within 6 hours, and the final patch (addressing the relatively less harmful issue of spoof-able social links) deployed 2 days later.

The fixes for this vulnerability are contained in pull requests #5141, #5142, and #5148 of the Panoptes Front End project on GitHub. Anyone running their own hosted copy of this should pull these changes as soon as possible.

Additional notes on our investigation are as follows:

The vulnerability was introduced on 14 May 2015, in pull request 324.
Custom links for projects and organisations allowed project builders to cause a user’s browser to execute arbitrary javascript by entering URLs like javascript: alert('oh no'); if the user clicked on that link, the javascript would run.
Malicious javascript executed this way could do whatever it wanted on the site, i.e. it could have stolen logged-in users’ API tokens, logged users out and captured their passwords when re-logging in.
Theoretically, passwords may have been have been exposed if malicious Javascript captured them on login, though this would only impact users that click malicious links. Emails may have been exposed, notably if an admin user account was breached.
However, we audited the database but could find no evidence (other than our own tests) of this having been done by project owners.
Our current solution is to sanitise all external/social links – both when taking input from users and when rendering them on webpages – and only allowing standard website URLs to pass.

As a side effect of our fixes, project owners are now unable to add non-standard website URLs to their project’s external links – for example, https://example.com continues to work fine, but mailto:hello@example.com no longer does.

We apologise for any concern this issue may have caused.

We recently uncovered a couple of bugs in the Zooniverse code which meant that the wrong question text may have been shown to some volunteers on Zooniverse projects while they were classifying. They were caught and a fix was released the same day on 29th November 2018.

The bugs only affected some projects with multiple live workflows from 6th-12th and 20th-29th November.

One of the bugs was difficult to recreate and relied on a complex timing of events, therefore we think it was rare and probably did not affect a significant fraction of classifications, so it hopefully will not have caused major issues with the general consensus on the data. However, it is not possible for us to say exactly which classifications were affected in the timeframe the bug was active.

We have apologised to the relevant science teams for the issues this may cause with their data analysis, but we would also like to extend our apologies to all volunteers who have taken part in these projects during the time the bugs were in effect. It is of the utmost importance to us that no effort is wasted on our projects and when something like this happens it is taken very seriously by the Zooniverse team. Since we discovered these bugs we worked tirelessly to fix them, and we have taken actions to make sure nothing like this will happen in the future.

We hope that you accept our most sincere apologies and continue the amazing work you do on the Zooniverse. If you have any questions please don’t hesitate to contact us at contact@zooniverse.org.

Sincerely,

The Zooniverse Team

Zooniverse

Monthly Archives: December 2018

Fixed Cross-Site Scripting Vulnerability on Project Page’s External Links

Zooniverse Workflow Bug

The Zooniverse Blog. We're the world's largest and most successful citizen science platform and a collaboration between the University of Oxford, The Adler Planetarium, and friends