On the 2nd December 2021, SignOnSite became aware that we published an update to our application on the 19th November 2021 which in rare cases allowed an image to be exposed to an unauthorised user. The exposures occurred only when two people uploaded an image with the same filename to our system at exactly the same millisecond. Far less than 1% of our user base was impacted by this issue.
The affected information included images associated with credentials, permits, inductions & user profiles. No account access information such as passwords were exposed.
Impacted users have been notified by email & mitigations have been put in place. There is very low risk of adverse impacts to users impacted by this incident. If you have not been contacted by email or phone, then you were not impacted by this issue in any way.
Important information for impacted users
If you are a user who has been impacted by this issue and have received a notification email or found a notice while viewing an affected image within the app, then you may need to re-upload the affected file(s).
If you are unsure which image(s) of yours have been impacted, please reach out to email@example.com and we will be able to let you know.
If you have further questions or would like help from a human to re-upload an impacted image, please reach out to firstname.lastname@example.org.
- 19 November 2021: A bug was introduced to our system whilst making an improvement to how we handle uploaded image filenames.
- 02 December 2021: Support tickets alerted us that there may be an issue with image uploads not working as expected. The support tickets were escalated to our engineering team for further investigation. The engineering team confirmed the issue and discovered the cause of the issue within 30mins following the escalation. A fix was implemented and pushed to our production environment the same day.
- 03 December 2021 - 20 January 2022: An investigation into which users were impacted & the severity of the impacts was undertaken. Further mitigation actions were identified as part of this investigation and are documented here.
- 21 January 2022: Impacted users were notified & engineering work on further mitigations started.
- Impacted users have been notified by email.
- Users who have had sensitive personal information displayed to an unauthorised user have been contacted directly by phone. If you have not already received a phone call, then although an image was leaked, sensitive personal information was not.
- Impacted images will be purged from our system and a notice displayed in their place.
- We will be implementing a system to prevent this class of bug from being able to reoccur.
- This support page has been set up to track the issue, disclose the key details & provide help and support to users about how they can re-upload affected images if necessary.