Security issues in Fuzzy.ai developer environment fixed

We had three security issues in our developer environment reported by security researcher Ron Masas recently, which we’ve identified and repaired. Thanks to Ron for his help in identifying these issues and in suggesting some ways to correct them. (And special thanks to our lead developer James Walker for getting them fixed so fast.)

The first pair of issues was a path that allowed saving an unsanitized email address to our user database. Combined with a way to share a user session across users, it allowed a cross-site scripting attack.

The third issue was a cross-site scripting attack caused by the way we were pulling data into our default React session. Carefully restructuring the request would cause a user’s browser to send their important session data to a third party. We repaired this bug by restructuring how the default session data is injected.

We don’t know of any abuses of these bugs in the wild.

We think it’s important to be transparent about security issues. We especially want to encourage security researchers to share their findings with us and other application developers. Thanks again to Ron for the great work.

Security issue in Fuzzy.ai API fixed

We’ve identified and corrected a content spoofing issue in the API server for Fuzzy.ai. Thanks to Nessim Jerbi for identifying and reporting this security bug, as well as recommending a fix.

Our 404 handler on the API server would echo the erroneous path in its error message. An attacker could craft a path that would inject text into the error message for other users, giving the impression that it was an official message from Fuzzy.ai.

We’re not aware of any abuse of this bug having occurred. The bug has been patched on our servers and does not require any updates to client software or SDKs.