pretix.eu security incident
Today, we found and fixed a security bug in pretix that was deployed on pretix.eu for 9 days. We have reason to believe that no customer data was impacted.
The bug was contained only in the pretix release 2.8.0, but was found only seconds after the 2.8.0 release was uploaded to PyPI and before the 2.8.0 release was announecd on this page. We immediately deleted the release 2.8.0 from PyPI two minutes after it was uploaded and issued a release 2.8.1, so we consider it highly unlikely that any self-hosted instances are affected. However, please double-check that you are not running version 2.8.0. Due to a follow-up error, we also had to release version 2.8.2 immediately, but 2.8.1 is already safe from the vulnerability.
If you are running a development version of pretix that you updated after May 28th, please upgrade to the latest version immediately.
If you use pretix Hosted, you do not need to take any action.
If you open the pretix backend, you will see the navigation context above the menu items on the left: Either your user account, an organizer account or an event. If you click it, you can search for other navigation contexts that you have access to.
On May 28th, we implemented a change to this feature: If you are currently viewing an event, we would always sort the organizer of that event to the very top of that list to make it easier for you go to "upwards" in the navigation.
The implementation of this feature had a flaw that allowed it to be exploited to enumerate all organizers in the
system by manually
accessing the API of this feature at
https://pretix.eu/control/nav/typeahead/?organizer=12345 with the ID of a
random organizer. Due to the bug, the API would return name and slug of the organizer, regardless of whether the
currently authenticated user had access to that data.
What is the impact?
Theoretically, an attacker could have used this to retrieve a list of all companies selling tickets on pretix.eu. Only the names of the companies and the short form of the organizer would have been disclosed, not anything else.
However, we believe that no attacker has found and used this vulnerability for the following resons:
We carefully reviewed our web server logs of the last 9 days for any requests to the vulnerable API endpoint and we have not been able to identify any suspicious behaviour such as systematically accessing multiple organizer IDs in a row.
Even though organizer IDs are incremented numbers, they have gaps. A different bug in the feature caused an Internal Server Error whenever an invalid ID was given. However, all Internal Server Errors on pretix.eu trigger an automatic notification of our development team, and we did not receive any of these notifications regarding this issue in the last 9 days. Someone systematically abusing the vulnerability would have triggered this bug soon enough.
Even if a theoretical attacker used the vulnerability to access the names of one or two other organizers, which we cannot completely rule out, we consider this to be a very low risk since this is more or less public information anyways: With a little use of Google search, it's easy enough to find out who is using our service.
We do not consider it necessary to alert the data protection authorities since in any case, no personal data of any natural persons could have been leaked.
We apologize deeply that this happened. We're currently already researching ways to prevent this category of bug in the future and hope to find a good solution here soon.
We take the security of our service very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues might unfortunately still occur from time to time. We deeply apologize for this and we do everything in our power to find and fix such problems as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at firstname.lastname@example.org. We will always treat your message with the appropriate priority.