[PDB Announce] Security disclosure for recent API Key users of https://beta.peeringdb.com/
Leo Vegoda
leo at peeringdb.com
Sat Apr 16 12:01:20 PDT 2022
The PeeringDB Operations Committee has asked me to pass along the
following regarding a recent security incident:
- Only a small percentage of PeeringDB Users and Organizations have API
Keys configured. If you are not familiar with API Keys you can safely
ignore the rest of this message. Details about API Keys are at:
https://docs.peeringdb.com/howto/api_keys/
- Due to a bug in a recent code deployment to the Beta site
(https://beta.peeringdb.com/) from approximately April 13th 2022 at
0300 UTC until April 16th 2022 at 0100 UTC, there was exposure of API
Keys to unrelated users in the form of a new HTTP Response Header.
- This new response header is intended for logging purposes and a
configuration is now in place to prevent it from going to clients. In
addition, prior to this code being rolled to Production, it will be
corrected to not confuse with unrelated users, nor include a full API
Key in the logs.
- If you or someone on your team used an API Key with
https://beta.peeringdb.com/ during the vulnerability time period, it
is recommended that you revoke the key on the Production site
https://www.peeringdb.com/ and the Beta site
https://beta.peeringdb.com/ and issue a new key for your software
clients. (The Beta site is populated with a copy of the Production
database during each Beta deploy.)
User API Key revocation/issuance is performed at:
https://www.peeringdb.com/profile
https://beta.peeringdb.com/profile
while Organization API Key revocation/issuance is performed at your
organization's parent object under "Manage" and then "API Keys".
- Use of API Keys with the Production site https://www.peeringdb.com/
has not resulted in any known compromise, so it is not necessary to
change your keys if you or your client software have not used the Beta
site.
- The discovery was made by a member of the Operations Committee. It is
unknown whether any keys used on Beta are now in the possession of
unauthorized entities.
- Additional details at:
https://github.com/peeringdb/peeringdb/issues/1120
- Questions/concerns welcome at: pdb-ops at lists.peeringdb.com
Leo Vegoda
PeeringDB Product Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.peeringdb.com/pipermail/pdb-announce/attachments/20220416/e6927a55/attachment.htm>
More information about the Pdb-announce
mailing list