Advisory ID: DOPPLER-PSA-2022-001 Publication Date: 2022-06-08 Revision Date: 2022-06-08 Status: Confirmed, Fixed Document Revision: 1
Doppler has found and resolved an issue where FullStory recordings made on the Doppler Dashboard's Secret and Config Compare pages were not correctly masking secrets. Customers are not required to take any action in response to this issue.
Doppler discovered this issue internally on Monday, June 6, 2022. Doppler delivered a fix to production and purged all FullStory data on Tuesday, June 7, 2022. After internal review, FullStory was fully removed from Doppler’s services on Wednesday, June 8, 2022.
Access to FullStory data is limited to six (6) senior Doppler employees. Doppler has confirmed with each of these Doppler employees that they have never viewed any sessions where secrets were captured. Had any secrets been observed by a Doppler employee, this issue would have immediately been reported and resolved. Customer data stored in FullStory is also inaccessible to FullStory itself.
Doppler’s internal logs do contain a comprehensive accounting of which users and workplaces have used the Compare functionality, and any impacted workplaces have been contacted via email.
FullStory captures user sessions to allow for easier debugging and to identify pain points users experience when interacting with our product. Any elements/fields that display secrets are excluded from capture so that they’re not sent to FullStory. While performing an audit, Doppler’s Engineering Team discovered that the fields displaying secrets on the Secrets compare and Config compare pages were lacking the descriptor that masked them from FullStory. This allowed these fields to be sent to FullStory unmasked, where they would have been retained for 30 days.
Users who have used the Secrets compare or Config compare pages, and who were not utilizing an ad blocker, may have had a copy of their secrets ingested by FullStory. These secrets would have been accessible to a small number of Doppler employees for up to 30 days.
FullStory has been removed from Doppler’s services and all FullStory data has been purged. No action is required from customers.
This issue re-highlights for us the importance of strongly limiting what 3rd party JavaScript/tools runs on our Dashboard. FullStory has been in use by Doppler since its creation in 2018, and was supremely helpful in understanding how early customers used our product. But as our customer base and risk profile has grown, this tool should have been re-evaluated. We will be performing a full audit of all 3rd party tools that run on our Dashboard and eliminating anything that isn’t strictly necessary.
Vulnerability Class: CWE-201: Insertion of Sensitive Information Into Sent Data Remotely Exploitable: Yes Authentication Required: Yes Severity: Medium CVSSv3.1 Overall Score: 5.7 CVSSv3.1 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Jun 07, 2022 00:30 UTC
Doppler Engineering discovers the issue and notifies Doppler's Security Team.
Jun 07, 2022 00:41 UTC