[RESOLVED] Security Vulnerability: Account Takeover - September 22, 2020

Dear Loom user,

This document outlines a security vulnerability that has since been fixed.

Summary

  • On September 22nd, 2020, two security researchers responsibly disclosed a vulnerability that would allow for an attacker to gain access to someone's Loom account via what is known as a man-in-the-middle attack
  • We have scanned our server logs, and we found no indication of a breach and no user information was compromised
  • In fixing this vulnerability, we decided to take the most conservative approach and force a logout and password reset for some user accounts
  • We are actively working to protect our users from these types of vulnerabilities in the future

More information

In the spirit of transparency, I've outlined the vulnerability that has since been fixed in more detail below:

  1. You sign up via our OAuth flow (Google, Slack, Apple, and Outlook), you click on one of the buttons below, which tells our server to talk to Google/Slack/Apple's servers (we'll refer to them as 3rd-parties from here).

    Untitled.png

  2. You then select the appropriate 3rd-party account and the 3rd-party server then talks to our server and gives us privileged information that allows us to know the current user is who they say they are.

    Screen_Shot_2020-09-25_at_2.06.05_PM.png

  3. If a user is signing up for the first time, we inject some of this information back into a web page where we ask that the user to agree to our terms of service.

  4. If the user accepts our terms of service, that information is sent back up to our servers to complete the sign up. During this step, if an attacker were to change certain information that we sent back up to our server, we would log them in as another user's account.

Moving forward

Protecting our users' accounts continues to be our top priority at Loom. We have not only been working to ensure this vulnerability has been fixed, but that we have internal processes, code, and tests written to ensure it will not happen again.

We appreciate you being with us and recording with Loom and are sorry for the inconvenience this may have caused you. If you have any additional questions, you can reach us at security@loom.com.

Sincerely,

Vinay

CTO and Co-founder

3 out of 3 found this helpful