May 2022 Security Update

Meredith at OneBookShelf on 2022-05-21

Edit June 2nd, 2022:

On Friday, May 20, prices on OneBookShelf marketplaces were reset incorrectly as an oblique result of a non-malicious security-testing procedure. In response, we closed down access to certain publisher and creator tool pages which might have contained the exposed vulnerability. These tools remained inaccessible through the weekend.

In dealing with this security breach, we learned that the hack was instigated by a “white-hat” hacker who had not followed proper protocols.

Details

The hacker found a PDO buffer overflow vulnerability that caused a SQL query to be truncated in a way that altered the price of all titles instead of just one.

The hacker also uncovered a vulnerability in a particular publisher-facing tool that would let a user enable or disable any title on site.

No customer or publisher data was accessed or compromised.

Resolution

We have implemented an across-the-board limit on all incoming request data such that it is truncated before it interacts with the PDO layer.

We closed the vulnerability that would let a user enable or disable any title.

We have also implemented better logging of all insert/update/delete statements.

Finally, we have communicated with the white-hat hacker responsible and ensured that future testing will be directed at a non-production server. We have also better communicated a public policy in the white-hat hacking community so that future white-hat hackers will know to contact us directly and not test on our production server.

Hacking attempts occur with much greater frequency than many people would suspect, and we always assume that we may be targeted. We have successfully thwarted thousands of attempts, and we have secured ourselves as much as possible against them. However, occasionally someone finds a vulnerability no one had anticipated, despite even the strongest security. The majority of attempts against us have been white-hat hackers looking for bounties, such as this one; this occasion happens to have had unintentional site-wide consequences.

Edit May 23rd, 2022: We have completed our investigation into the security incident last Friday, May 20, 2022.

Our team has confirmed that no private data was compromised. We have identified the method used to modify price points in the database and released a fix to prevent it.

All sites and all pages have returned to normal operations. We apologize for the impact on customers, publishers, and creators.

Later this week we will analyze any titles that were ordered at incorrect prices and make restitution to publishers and creators whose titles were affected.

===== May 20th, 2022 In the afternoon of May 20th, 2022, we had a security incident on site that we continue to actively investigate. We have no evidence that any customer account data was compromised.

A third party was able to set prices on titles that they were not authorized to modify, and they set the prices of many titles on site to free which led to some customers placing orders for free titles that were not meant to be free. We shut down the site shortly after this began to happen.

Publishers/Creators: We are restoring the site to service, however, for the time being, there will be no access to the normal tool pages to enter or edit titles or to manage bundle titles. We continue to investigate these pages for any security issues and will restore them as soon as we can. Files can still be updated with the normal update file tool page.

Publishers may still use the main publisher hub title search to find and make some edits to titles.

In the coming week, we will analyze any titles that were ordered at incorrect prices and make restitution to publishers and creators whose titles were affected.

We will continue to post messages to Discord, publisher hub, and social media as our investigation continues.