As some of you might've heard, we discovered a security issue earlier today and asked users to update immediately. We apologize for the inconvenience this has caused. This is a report on what happened and how we have addressed the issue. [h2]What happened?[/h2] Earlier today, we became aware that when a user logs into Resonite by typing their credentials and the login succeeds, the user's login token ends up written to the log file. If this log file is then shared with anyone by that user, it can be abused to get access to the user's account under certain conditions. [h2]Why did this happen?[/h2] The original goal was to log in just basic information about the login process - mostly the server response status. However at some point we have extended the diagnostic to print out the entire entities coming from the cloud (this includes a number of entities that do not contain sensitive data as this), which affected the login entity, exposing its internal data by accident. [h2]Who did this affect?[/h2] The session token system is designed to limit their lifetime and usability, to minimize the impact of accidental leaks like this. The tokens are made to be short lived if possible and will be invalidated in following conditions: [list] [*] When user explicitly logs in from the same machine [*] When user checks “Remember Me” and starts their client again [*] The token expires (1 day without “Remember Me” and 30 days with “Remember Me”) [/list] Given this mechanism, you would’ve been potentially affected by this given you meet the following conditions: [list] [*] You have shared a log file from a client session where you logged in by typing your credentials (username/email and password) [*] You have not logged in again on the same machine manually [*] You have not started the client again since logging in [/list] [h2]Was there a cloud data breach?[/h2] No. The only way the tokens leaked is by users sharing a log from their own machine from when they logged in. Additionally we do not store the actual session tokens on our cloud - instead we store a salted hash of those tokens. As a result, even in the event of a data breach on the cloud where the session information would get leaked, an attacker would be unable to use this data to access your account. [h2]What did we do to resolve this issue?[/h2] We have published a new client which removes the logging from the login process and requested that any online users update immediately. Roughly 10 minutes following this, we have cleared any existing sessions in the database that only had a single login (meaning they were the original login session, which would be vulnerable). Users who have had “Remember Me” turned on and have restarted the client at least once were not affected, since the potentially leaked session token from login was already removed from the database by the subsequent launches of the client. [h2]What are we doing to prevent this in the future?[/h2] To ensure that similar mistakes do not happen again, we’re making a few modifications to the system to tighten its security: [list] [*] Mark sensitive cloud entities and prevent them from being logged for diagnostics -- Entities containing the session token are now marked as such. The diagnostic systems respect this mark and will not print out their contents -- This prevents situations where we would accidentally end up printing out the entity to the log from revealing the sensitive information again [*] Extending long running sessions will regenerate token at regular intervals -- For long running clients (e.g. headless), the original login token would be kept and its lifetime would be extended continuously for weeks or even months (depending on when restart occurs), but the token would remain same, allowing it to be potentially exploited if it’s leaked -- From now on, the token will be regenerated and the previous one invalidated at regular intervals - this is currently every day. As a result the potential window for exploitation of a given token is now much shorter for long running sessions [*] Validating user’s secret machine ID -- Each instance of the client generates a unique secret machine ID which is used to identify that machine. This is used to differentiate multiple sessions from multiple machines / installs -- From now on, in addition to validating the token itself, the secret machine ID is used to ensure that the client trying to access the account is the same one as that originally logged in In case the session token ends up leaking, it will be insufficient to access the user's account without also knowing the secret machine ID. This would require both pieces of information to leak -- Note: This is different from the user’s “Machine ID” which is used to identity user’s machine to other users [/list]