I've been a member for a while now and when I tried to log in tonight I was greeted by my password was changed by an admin. Not a big deal as I was able to reset my password. Any reason this happened?
Hey there, everyone! To address the password change - I was notified by Vanilla Forums about two weeks ago that they found and patched a vulnerability in their platform. They didn't find any evidence of wrongdoing, but sent out a platform-wide password change as a safety precaution. Since they didn't find any malicious activity, I figured it didn't warrant a system-wide announcement, but clearly I should know better than that!I've been answering questions as they get PMed to me, but I haven't had time to scroll through the forum to look for discussions about it as well. As far as I'm aware, the gist of it was just that they found a bug, patched it up, and took some extra safety precautions. If you've got any other questions, feel free to ask!
Vanilla stores records of user information in its databases, for display and authentication purposes. The full record is generally not visible to the public and is guarded by various permission checks through Vanilla's controllers and API endpoints.
In Vanilla's APIv2 endpoints additional validation exists to ensure that only certain, predefined fields are returned from any particular endpoint. This is called a Schema.
A bug in sanitization logic caused the schema not to be applied to a single APIv2 endpoint. For customers using our "Rich Text Editor" this caused user records to outputted to the HTML source sent to browsers while quoting comments and discussions. While this data was not visible to the eye, it could be accessed by:
· Inspecting the network requests while quoting some user content.
· Inspecting the HTML of rich comment or discussion quotes.
In addition, for all Vanilla customers regardless of text editor in use:
· Calling the /api/v2/media/scrape endpoint directly (with permission to view the scraped discussion or comment). We are currently evaluating logs to determine if any evidence of malicious action against this API is present, thus far no evidence is present in the log reviews performed to date.
Affected data includes entire user records made up of:
· Passwords (salted & hashed)
· Our hashing mechanism is BCRYPT with a cost of 10
· Email Addresses
· IP addresses
· User preferences
· Users roles and ranks