We recently fixed a security vulnerability whereby an attacker could upload executable content to our media storage domains.
On 13th November 2022, a security researcher notified us of a cross-site scripting (XSS) vulnerability affecting our media storage domains. This XSS vulnerability made it possible for attackers to upload content to our storage domains that could then be shared as links for use in ‘phishing’ or other attacks.
We fixed the vulnerability on the morning of the 15th November 2022 by blocking script access to the API from the impacted domains ensuring any malicious code failed to gain access to authenticated private data. This remedial action was followed by a another fix on the 16th November that deployed block rules on our Content Distribution Network (CDN) provider to prevent malicious resource links being served to users. In addition, on the 8th of December we deployed a change to the API to only allow non-malicious files to be uploaded to these storage domains.
The mitigation and fix steps described above allowed us time to research the problem and audit our storage systems for any live exploits. After this audit we determined that this vulnerability had not been exploited for any malicious purpose; no data was leaked and no users were exposed to injected code.
We’d like to thank Michal Biesiada (https://github.com/mbiesiad) for bringing this issue to our attention and for following responsible disclosure by reporting it to us in private, as requested on our security page.