We regret to inform you that a vulnerability was identified in one of our API services, specifically related to the functionality that generates a thumbnail of a user-specified website (🤖/html/convert). This issue could potentially lead to the server disclosing its own system files.
The vulnerability researcher could host a web page with a specific HTML iframe code. On importing this site using our service, the server could interpret the iframe source, and render text files from its file system in the site’s thumbnail image.
This vulnerability, in theory, could have been exploited by API users. Successful exploitation could have allowed the attacker to render sytem files as images.
Please note that, while it was possible to render these files, our machines executing this function do not contain secrets. Furthermore, accessing customer data would require knowledge of the UUID hashes related to their data, which are near impossible to guess. We are therefore confident that no customer data was leaked through this vulnerability.
We sincerely apologize and assure you that we take this matter very seriously. The security and privacy of our customers will always be our topmost priority.
Within 24 hours of this issue being disclosed to us, it has been confirmed patched by the vulnerability researcher.
We encourage all our users to stay vigilant about their security practices, as we do too. An extensive set of deployed security measures can be reviewed over at /security/ and we welcome any question or concern you may have.
Share your Transloadit project to earn $300
We love seeing how our community uses Transloadit. Tweet @transloadit to get your proposal approved, share what you’ve built in the form of a blog post or a tutorial on your website, and earn a $300 Gift certificate of your choice as well as a full year of the Startup Plan, at no cost after you publish.
Follow us on Twitter:Follow @transloadit
We're SO STOKED to announce the Transloadit Community Plan! 🎉🎉🎉 Unlimited uploading, importing and exporting, 5GB of encoding/month, and access to 50 different file conversion features for all.— 🤖 Transloadit (@transloadit) July 2, 2020
Best part? It's free. Forever. 🤑 Find out more https://t.co/zXWLi3Xa0G pic.twitter.com/DlY5xz1mPG