Incident Report: Data leak in pretalx 1.0
June 7, 2019
Today, we found and fixed a data leak in pretalx that was deployed on pretalx.com for several weeks. User data was impacted, and we have contacted all users and customers concerned in the data leak.
The bug was contained in the recent pretalx release 1.0.0 and 1.0.1, but has been deployed on pretalx.com for about two months, since a stable development version was deployed. We have released a further bugfix release, 1.0.2, and we advise all users of pretalx to upgrade as soon as possible. If you use pretalx.com, you do not need to take any action.
As of the recent 1.0 release, a new feature allowed users to see emails sent to them on the website, in case a mail got lost in a spam filter or rejected due to a full mailbox. Organisers could also see which mails were sent to a user in their event for the same reason – only due to a bug, organisers could see all mails a user was sent, not only mails for the current event. Since these emails contain information regarding which talks were accepted or rejected, we consider the information leak as highly personal data, and critical to pretalx functionality.
The bug was discovered by one of our customers, PyCon UK. As per our security policy they contacted us directly on 2019-06-07, 18:54 CEST, or about four hours at the writing of this post. We (that is, Tobias) saw the email roughly 15 minutes later while while on public transport. At 19:21 he had built and published a fix, which was also rolled out on pretalx.com at this time. From that time on until the release of this blog post, we worked on incident analysis to figure out who was impacted, released a security release, contacted the impacted users, and released this blog post.
What is the impact?
All instances running pretalx 1.0.0 or 1.0.1 will expose all emails sent to users to all organisers with access to speakers, where only emails of the current event should be exposed. We recommend all pretalx instances to be updated to 1.0.2 as soon as possible.
On pretalx.com, we analyzed both the data in our database and our web server logs to determine who was impacted by this bug, i.e. who had been sent emails from different events, and was accessed afterwards in a way that showed email information to organisers. Our analysis showed that 20 users in the domain of 5 organisers were impacted. We contacted all of them directly with detailed information which of their data was accessed by which organiser team.
We apologize deeply that this happened. We strive to provide a good and secure product, and we fell short of our goal. Apart from fixing this issue as soon as we learned of it, we will also take action to prevent this whole error class from occurring in the future.
Particularly, to secure against future data leaks that reach across events, we had already started to evaluate django-scopes, a library to stop this error class before it can become a problem. It requires database queries to run in an explicit event scope, and will block queries that do not provide this scope, unless they are explicitly excluded from this rule.
Sadly, our evaluation of this library 20 days ago still showed some issues with its inclusion with pretalx, so we didn't manage to integrate it before the 1.0 release. We will make the inclusion of django-scopes a priority now, and will defer any other feature development until we consider this issue solved to our satisfaction.
As cliche as this may sound: we take the security of our service very seriously and make it a priority to the best of our ability. As we are humans, security issues might unfortunately still occur from time to time. If you notice any security problems or have any questions on this topic, please contact us in private at email@example.com.