CVE-2022-41542 devhub 0.102.0 was discovered to contain a broken session control.
This session control allows a user to store data on the Hub and then have that data be visible to other users in the network who have chosen to ‘follow’ the user that shared their data. Unfortunately, this session control was not secured against ‘hacking’. As such, any user with access to the control panel of a server could change the visibility settings of another user’s data — essentially making that data visible to any user in the network. This is a serious issue, especially if the data being shared is sensitive in nature. As such, we have updated our session control to secure this against hacking. Unfortunately, this update was not pushed to all users of users. As such, we have provided a fix. This will be a top priority going forward, as such an incident will potentially expose the network to any user with access to the control panel of a server.
Vulnerabilities and weaknesses
The vulnerability of this session control became apparent when observing the following:
- Access to the control panel of a server allowed for hacking and changing visibility settings.
- The update to secure this against hacking was not pushed to all users on the Hub.
Reasons for updating the session control:
- The vulnerability was not addressed in time, which exposed the network to any user with access to the control panel of a server.
- We are always looking for ways to improve our security measures such as updating our session controls.
Check if you are affected by this issue
If you are affected by this issue, and were not already, your session control should update on the next log in. If it doesn’t update, please submit a support ticket to receive a fix from our team.
To check if you are affected by this issue:
1. Log into your Hub account using https://hub.twitter.com
2. Click the Settings tab
3. Click the ‘Edit’ link of your session control and make sure that ‘visible to following users’ is set to ‘No’
Timeline
Published on: 10/17/2022 14:15:00 UTC
Last modified on: 10/19/2022 15:10:00 UTC