UPDATE - 9:45 AM Thursday, October 31, 2024 (CDT)
SUMMARY
On the afternoon of October 30th, Blazestack quickly resolved a minor issue with a third-party library (LottieFiles) used for animations that impacted a small number of Blazestack users, with no compromise of Blazestack user data.
For avoidance of doubt, there was no security breach, nor illegal access to user data. A few Blazestack users saw crypto advertising briefly. Blazestack users are secure.
To resolve the issue, we followed Blazestack Security and Breach Protocols Policy which had us voluntarily taking the Blazestack app offline for 18 minutes while we rolled back to a version of the LottieFiles library, which is unaffected by the issue.
This strategic rollback fully mitigated the problem, restoring normal functionality and ensuring continued security for our users.
A root cause explanation is published here:
https://github.com/LottieFiles/lottie-player/issues/254#issuecomment-2448685876
SECURITY POLICY
Our Blazestack Security and Breach Protocols Policy mandates that we:
- Implement containment measures without delay.
Done. - Initiate an inquiry and risk assessment at the same time.
Done.
- Commence notifying users affected by the breach.
No users’ data was affected and no data was breached but we elected to communicate the issue.
- Identify the external notifications that are required or recommended.
This notice.
NOTICE
It also requires that we provide notice to our users. The notice must be written in straightforward language and include the following information:
- A concise summary of what occurred, including the date of the breach and, if known, the date of its detection;
October 30th 2024, between 4:00pm and 4:30pm (Central Daylight Time)
- If known, a summary of the types of protected information implicated in the incident;
No information, protected or unprotected, was revealed or compromised.
- Any precautions the user should take to protect user data from any potential damage caused by the breach.
Users do not need to take any additional precautions, other than normal.
- A concise explanation of what Blazestack is doing to investigate the incident, minimize the harm to persons and users, and prevent future breaches.
This notice covers these.
Again, none of the Blazestack security mechanisms, processes or technology were compromised. The LottieFiles issue stemmed from a LottieFiles employee key being compromised and an altered package being made available via NPM, then application dependencies being pinned to the latest version.
Moving forward we will risk-assess 3rd dependent library version usage, in particular, all CDN-delivered library dependencies pinned to the latest version That review activity is already underway.
Per our security policy, we also updated Blazestack users via this blog post:
https://www.blazestack.com/blog/important-update
Blazestack, Bubble.io and LottieFiles consider the issue resolved.
Our systems remain secure as we uphold our security standards. Any questions or concerns should be sent to support@blazestack.com.
UPDATE - 4:50 PM Wednesday, October 30, 2024 (CDT)
LottieFiles is aware and has published a fix. More details can be found here:
https://github.com/LottieFiles/lottie-player/issues/255
UPDATE - 4:30 PM Wednesday, October 30, 2024 (CDT)
Blazestack is live and available to users once again.
There may be a few features that don't function. We are still reviewing app functionality and app security. We do NOT believe that any data or users have been corrupted. Again, we believe your data and users are safe and secure.
Thank you for your patience.
support@blazestack.com
Initial Message - 4:20 PM Wednesday, October 30, 2024 (CDT)
We wanted to reach out and assure you that we are actively managing the recent compromise involving LottieFiles.
This compromise is affecting apps all over the internet. Blazestack will be out of service for a few moments as we review the app for any breaches and/or corruption of data.
We’ve implemented rigorous safeguards to protect your data and ensure the integrity of our services and feel confident that your data is still safely stored and encrypted.Thank you for your understanding and trust.We’ll keep you updated on any developments, but please feel free to reach out with any questions in the meantime.
support@blazestack.com
