Advisory ID: DOPPLER-PSA-2024-001 Publication Date: 2024-03-12 Revision Date: 2024-03-12 Status: Confirmed, Fixed Document Revision: 1.0
Doppler has found and resolved an issue where front-end errors on the Doppler Dashboard that were reported to BugSnag may have included sensitive data, including secrets, in certain rare scenarios. Doppler estimates that fewer than 0.015% of Dashboard sessions encounter a front-end error, and only a subset of those errors would have included sensitive data. As Doppler regularly purges historical errors from BugSnag, we are unable to determine which workplaces may have had their data exposed to BugSnag in the past. However, we are able to confirm that all data for all Doppler workplaces in BugSnag has been deleted.
Doppler discovered this issue internally on Friday, March 8, 2024. Doppler delivered a fix to production and purged all BugSnag data within 1 hour of discovering the issue. Doppler has confirmed with BugSnag that BugSnag employees have never accessed Doppler data and all backups that exist will be permanently erased within two weeks.
We believe the risk from this incident to be near zero, and customers are not required to take any action in response to this issue.
Doppler uses BugSnag for error reporting and tracking to ensure the stability and correctness of our platform. BugSnag is an ISO-27001 certified vendor, and Doppler considers BugSnag part of its critical infrastructure for error monitoring.
BugSnag automatically tracks user actions and network requests on the front-end and includes those actions (breadcrumbs) in the error report when the user encounters a front-end error. The breadcrumb action for clicking on a text input includes the text input’s value. If a user clicked on a sensitive input and subsequently encountered a front-end error, that value would have been included in the report sent to BugSnag. Only the most recent 25 breadcrumbs are included in the report.
Users who touched a text input containing a sensitive value, encountered a front-end error, and were not using an ad blocker may have included the sensitive value in the error report sent to BugSnag.
Access to BugSnag data is limited to eleven (11) Doppler employees. Doppler has confirmed with each of these Doppler employees that they have never viewed any errors where secrets were captured aside from the employee who discovered the issue and immediately reported it. Additionally, Doppler has confirmed with BugSnag that BugSnag employees have never accessed any Doppler data. All data transmitted to BugSnag is sent over HTTPS, which ensures the data would not have been captured elsewhere.
BugSnag breadcrumbs have been disabled and all pre-existing data in BugSnag has been permanently deleted. Doppler has confirmed with BugSnag that no BugSnag employee has ever accessed any Doppler data within BugSnag. No action is required from customers.
After the previous Fullstory incident, we removed all third party tools from the dashboard aside from BugSnag, which is critical to maintaining the stability of our systems. At that time, we also added a restrictive Content Security Policy that disallows external connections to all systems other than BugSnag (and Stripe, but only on the billing page). However, during this audit, we missed the automatically generated BugSnag breadcrumbs.
This issue demonstrates the importance of limiting data export to third party tools. While we believe BugSnag is the only third party tool to which secrets were exported, we will be performing an in-depth audit of all third party tool integrations to confirm all sensitive data is excluded.
Vulnerability Class: CWE-201: Insertion of Sensitive Information Into Sent Data Remotely Exploitable: Yes Authentication Required: Yes Severity: Medium CVSSv3.1 Overall Score: 5.7 CVSSv3.1 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
March 8, 2024 19:25 UTC