Bug with migrated OAuth2 logins

On August 15th 2018, our engineers discovered that our user migration script had a bug, which could allow a single user to log into the incorrect CryptFolio account.

As soon as this bug was discovered, we immediately halted all potentially compromised login attempts (as per our security policy), and launched a full investigation into the issue. This bug is now fixed.

Further investigation has shown that the impact of this bug was limited to a small set of users who signed up to old.cryptfolio.com between April 2015 and December 2015; a total of 48 user accounts. We have individually contacted each of the affected users with more information on how to resecure their accounts.

Impact

Our investigation shows no indication of breach or misuse by anyone, but we’re taking this very seriously and have decided to fully disclose everything we know about the bug.

Due to the security built into the design of CryptFolio (more details at https://cryptfolio.com/security), no cryptocurrency should be at risk. For affected accounts, there is a chance that the following personally identifiable information could have been retrieved:

• Account name
• Account e-mail address
• Portfolio public addresses, if any
• Portfolio third-party API keys, if any (NOT including any API secrets)
• Portfolio offsets, if any

Once again, because we only use read-only API keys and public addresses, no cryptocurrency should be at risk.

About the bug

When exporting data from old.cryptfolio.com to the new site for migration, we would export both the old user data, and the existing OAuth2 login methods associated with the account.

There was a bug in our script where, instead of selecting on user_oauth2_identities.user_id, we were selecting on user_oauth2_identities.id. The resulting import meant some migrated users would have the wrong OAuth2 identities (the combination of provider + uid) associated with their accounts.

Due to the nature of the bug, only a single person could have logged into a single affected CryptFolio account, using their existing Google login. No passwords or hashes could have been exposed.

Timeline (NZST)

3:04pm, August 15 —While testing an unrelated change, an engineer identified unexpected behaviour when trying to login with a migrated user.

4:40pm — The behaviour was (sadly) identified to be a potential vulnerability. A list of all possibly impacted users were immediately identified (a total of 65 users), and their login methods blocked. All pending user migrations were halted. All existing user sessions were reset, forcing all users to login again. At this point, the site and all user data was secure.

8:50pm — A long-term fix for the bug was identified.

10:30am, August 16 — A comprehensive plan for fixing the bug was completed.

11:01am — The long-term fix was deployed. All migrated login methods were removed, and replaced with the correct login methods.

2:40pm — Engineers confirmed that the long-term fix was complete, secure, and the site could resume user migration.

3:30pm — This blog post was released on our Medium page, our Twitter page, and in our site updates feed.

??? —Affected users had their accounts remigrated, and have been contacted individually.

Actions taken

To prevent this situation from happening again, we have identified the following tasks that we will complete over the coming weeks:

• This bug only impacted migrated accounts. New accounts on cryptfolio.com could not have been affected. Our user migration will complete in the next seven days, so this type of bug should not occur in the future.
• Two-factor authentication, a new feature not previously supported on old.cryptfolio.com, will be implemented and rolled out over the next few weeks. This will ensure that even if this bug happened again, accounts secured with 2FA would not be affected.
• In the last few weeks, we have been testing our bug bounty programme with an independent security researcher. In the coming weeks, we will be making this programme public. We’re hoping that this, along with our existing testing and review processes, will help us proactively identify and resolve any vulnerabilities.

We’re extremely sorry that this happened. We take security very seriously and this is our first data breach that we’ve ever had. We’re glad that we have not found any indication of breaches or misuse by anyone, and have used this as an opportunity to learn, reflect, and improve our security and release processes.