Hi, Approximately 8 hours ago we were made aware that Cross-Site Request Forgery (CSRF) could be used to trick a logged-in user of the BitFolk Panel at https://panel.bitfolk.com/ into carrying out changes that could allow their account to be compromised. As there was no checking that requests actually came from forms generated on the panel site, if a logged-in user was tricked into submitting an HTTP request from elsewhere then they could change sensitive details about their account such as: - Adding SSH keys for console access - Altering contact email address - Invalidating/Disabling two factor authentication - Enabling email password reset, if it was disabled We have no evidence that any of these actions have ever been carried out maliciously, but aside from reports we would have no way of knowing, so we would advise that all customers log in to their Panel account and check that the list of SSH keys is as they expect. All of the forms on the sensitive pages, which include everything under: * https://panel.bitfolk.com/account/security/ * https://panel.bitfolk.com/account/contacts/ were today secured against CSRF so there is now no way to use this technique to compromise an account. The vulnerability would have been there ever since the Panel site existed, or the relevant features were added. The remaining forms, which only cover fairly trivial informational items, will be fixed as soon as possible. You can track that work at our tracker: * https://tools.bitfolk.com/redmine/issues/156 Thanks must go to Dominic Cleal <https://m0dlx.com/> who responsibly disclosed the problem to us today and has assisted with testing of our fixes. More general information about CSRF: * https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) If you have any further questions please do let us know by replying to the users list (users(a)lists.bitfolk.com) or to support(a)bitfolk.com if you need to discuss anything specific to your account. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce