[PDB Announce] Security disclosure for recent API Key users of https://beta.peeringdb.com/

Leo Vegoda leo at peeringdb.com
Sat Apr 16 12:01:20 PDT 2022 

The PeeringDB Operations Committee has asked me to pass along the
following regarding a recent security incident:

  - Only a small percentage of PeeringDB Users and Organizations have API
    Keys configured. If you are not familiar with API Keys you can safely
    ignore the rest of this message. Details about API Keys are at:

      https://docs.peeringdb.com/howto/api_keys/

  - Due to a bug in a recent code deployment to the Beta site
    (https://beta.peeringdb.com/) from approximately April 13th 2022 at
    0300 UTC until April 16th 2022 at 0100 UTC, there was exposure of API
    Keys to unrelated users in the form of a new HTTP Response Header.

  - This new response header is intended for logging purposes and a
    configuration is now in place to prevent it from going to clients. In
    addition, prior to this code being rolled to Production, it will be
    corrected to not confuse with unrelated users, nor include a full API
    Key in the logs.

  - If you or someone on your team used an API Key with
    https://beta.peeringdb.com/ during the vulnerability time period, it
    is recommended that you revoke the key on the Production site
    https://www.peeringdb.com/ and the Beta site
    https://beta.peeringdb.com/ and issue a new key for your software
    clients. (The Beta site is populated with a copy of the Production
    database during each Beta deploy.)

    User API Key revocation/issuance is performed at:

      https://www.peeringdb.com/profile
      https://beta.peeringdb.com/profile

    while Organization API Key revocation/issuance is performed at your
    organization's parent object under "Manage" and then "API Keys".

  - Use of API Keys with the Production site https://www.peeringdb.com/
    has not resulted in any known compromise, so it is not necessary to
    change your keys if you or your client software have not used the Beta
    site.

  - The discovery was made by a member of the Operations Committee. It is
    unknown whether any keys used on Beta are now in the possession of
    unauthorized entities.

  - Additional details at:
https://github.com/peeringdb/peeringdb/issues/1120

  - Questions/concerns welcome at: pdb-ops at lists.peeringdb.com

Leo Vegoda
PeeringDB Product Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.peeringdb.com/pipermail/pdb-announce/attachments/20220416/e6927a55/attachment.htm>

More information about the Pdb-announce mailing list