pretix.eu security incident
Today, we found a critical security bug in pretix that was deployed on pretix.eu for about 20 minutes. We can be sure that no customer data was actually impacted. However, in the interest of full transparency, we still publish this record for your information.
The bug was not contained in any published pretix release, but in the pretix development version between February 1st, 16:45 UTC+1 and February 4th, 14:50 UTC+1. If you installed pretix from git in that timeframe (13cc57e9…07d42a4d) and have multiple tenants using your application, you should upgrade immediately.
On Friday, we have implemented a number of new exports to make it easier to transfer pretix data to your accounting department. For example, we added an Excel export of all data contained in invoices. We deployed this new feature to pretix.eu today around 08:57 UTC+1. However, due to an incompatibility with old invoice records, this new feature did not work on pretix.eu at all and did not output any data.
At 14:20 UTC+1, we deployed a new software version to pretix.eu to fix the bug in the new feature. However, the feature contained a very serious security bug that we didn't notice before: While the export only contained data on the invoices of the particular event, it contained data on the invoice lines of all events in the system and therefore potentially attendee data of every event with the invoicing feature turned on.
Around 14:37, we discovered the bug ourselves during a final testing of the feature. After we recognized the issue, we immediately shut down parts of the system at 14:40 to make sure the bug can no longer be exploited.
By 15:02, we had deployed a fix that permantently fixes the issue and by 15:09 full system availability was restored.
How do we know nobody was impacted?
The only way to gain acess to private data through that bug was to create an export through pretix' interface. Since all exports are written to disk and kept for three days even before they are sent to the user, we can be sure that no single user performed an export containing sensitive data in the relevant timeframe, apart from the test run in which we found the bug.
We are therefore certain that this incident does not result in a risk to the rights and freedoms of natural persons and therefore does not require a notification of authorities under Art. 33 GDPR.
What do we do to prevent this in the future?
Data leakage across multiple clients is a very typical kind of security bug in any multi-tenant application like pretix. So far, we've been able to prevent it through thorough code review and coding best practices that make it hard to make this kind of mistake.
However, we'd like to prevent this kind of error on a more fundamental level to avoid problems like this happening again any time soon. We've been already working on a concept for a monitoring solution that automatically detects many of these situations and can shut down the system and alert us automatically if such a thing happens ever again. We will make the work on this system a top priority in the next weeks and expect to deploy it within the month.
We take the security of our service very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues might unfortunately still occur from time to time. We deeply apologize for this and we do everything in our power to find and fix such problems as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at firstname.lastname@example.org. We will always treat your message with the appropriate priority.