A few hours ago we were alerted to a serious security breach in Handset Detection which allowed authenticated users (anyone logged in) to view and potentially edit any site in the system. No user, billing, payment or contact information was accessible. Only site information. The bug was introduced in a rework of our access control system for a few up coming features, released yesterday afternoon.
We’ve combed the logs and identified that 5 sites were ‘admin viewed’ and only one site was ‘admin edited’, by the person reporting the problem (on their own site). This problem could certainly have been much worse, a fact not lost on us, and we’re thankful that Antony reported the issue as soon as he noticed it.
If you have any queries, concerns or require more information feel free to reach me directly.
PS : We take the trust you place in us seriously and so have made this blog post in the interests of full disclosure. We hold our ourselves, and our product, to a high standard. When we fall short of that standard its important we let you know.