We had three security issues in our developer environment reported by security researcher Ron Masas recently, which we’ve identified and repaired. Thanks to Ron for his help in identifying these issues and in suggesting some ways to correct them. (And special thanks to our lead developer James Walker for getting them fixed so fast.)
The first pair of issues was a path that allowed saving an unsanitized email address to our user database. Combined with a way to share a user session across users, it allowed a cross-site scripting attack.
The third issue was a cross-site scripting attack caused by the way we were pulling data into our default React session. Carefully restructuring the request would cause a user’s browser to send their important session data to a third party. We repaired this bug by restructuring how the default session data is injected.
We don’t know of any abuses of these bugs in the wild.
We think it’s important to be transparent about security issues. We especially want to encourage security researchers to share their findings with us and other application developers. Thanks again to Ron for the great work.