Post Mortem - Unpublished shortcut titles and descriptions were visible.

Written by Harley Hicks on Aug. 15, 2020

tl;dr:

I had a very minor privacy breach that included the following information:

  • Around 670 unpublished shortcut titles

  • Around 670 unpublished shortcut short descriptions


On Wednesday, August 12, 2020, at 6:00 PM (EST), a user in our Discord server named "PrivateHub Team" posted an iOS shortcut in our #share-a-shortcut channel that contained a list of all unpublished shortcut titles and short descriptions that are hosted on RoutineHub.

Unfortunately I did not become aware of this until yesterday, Saturday, August 15, 2020, at around 5:30 PM (EST) when I noticed some people in our #general channel discussing it. I started investigating immediately.

I messaged the "PrivateHub Team" user at 5:34 PM (EST) and asked if they would mind discussing with me how they were able to get this information so that I could patch RoutineHub. They still have not responded to this message.

I received a message from @zachary7829 at 5:48 PM (EST) saying that they thought they might know how that user retrieved this information. It looked like if you went to an unpublished shortcut's changelog page, you would be able to see the title and short description of the shortcut (nothing else fortunately). In the end, he was very much correct!

It looks like this PrivateHub Team person(s) had basically looped through all the shortcuts changelogs in sequential order to retrieve titles and shortcuts, and had a check to see if other information was hidden to tag it as an unpublished shortcut.

After I researched the bug and understood the small privacy impact, I went back to dealing with minor family emergencies.

At 7:27 PM (EST) I finally had time to sit and patch the bug and push it live. At 7:31 PM (EST), I published a response in our Discord #general channel to explain that the bug had been patched. I also banned the offending user and deleted their messages. A couple people brought into question why I would ban the user, as they were just trying to show that RoutineHub had a vulnerability. I would like to mention that they posted this publicly before mentioning it to me privately, and they never responded to my inquiry. I would have definitely handled it differently if they had come to me to discuss the vulnerability. I'm also pretty sure that it was a burner account and they were expecting for it to get banned.

I apologize for the oversight here and that some people had exciting shortcuts that they were waiting to reveal. I hope you will understand that I take your data very seriously, which is why I advocate for ethical advertising and only storing data you absolutely need. Even though this was a minor incident, I will work harder towards keeping your data private.

Thanks again @zachary7829 for the assist! It made the whole investigation process go much faster.