We regret to inform you that a vulnerability was identified in one of our API services, specifically related to the functionality that generates a thumbnail of a user-specified website (🤖/html/convert). This issue could potentially lead to the server disclosing its own system files.

A serious-looking banner with a red stripe containing the text 'Vulnerability Disclosure' in bold letters.

Evidence

The vulnerability researcher could host a web page with a specific HTML iframe code. On importing this site using our service, the server could interpret the iframe source, and render text files from its file system in the site’s thumbnail image.

Potential risks

This vulnerability, in theory, could have been exploited by API users. Successful exploitation could have allowed the attacker to render sytem files as images.

Please note that, while it was possible to render these files, our machines executing this function do not contain secrets. Furthermore, accessing customer data would require knowledge of the UUID hashes related to their data, which are near impossible to guess. We are therefore confident that no customer data was leaked through this vulnerability.

Remediation steps

We sincerely apologize and assure you that we take this matter very seriously. The security and privacy of our customers will always be our topmost priority.

Within 24 hours of this issue being disclosed to us, it has been confirmed patched by the vulnerability researcher.

We encourage all our users to stay vigilant about their security practices, as we do too. An extensive set of deployed security measures can be reviewed over at /security/ and we welcome any question or concern you may have.