Back to Blog

Security Notice: Format Injection Vulnerability

badge-conscious-shareEgor Homakov, an independent security researcher from Sakurity, responsibly disclosed a “Format Injection” vulnerability that affected the Authy service through a commonly used open source library.

Through the Authy security team’s immediate investigation we performed a forensic analysis to confirm that this vulnerability was not exploited. A comprehensive review of our API logs indicated that this vulnerability was not used against the Authy service at any time.

Next, the team notified the author of the affected library of the vulnerability. Third a comprehensive audit was conducted of other third-party libraries and community helper libraries for the same issue. Finally, patches were applied to the service and patched forks of community helper libraries were published via the Authy Github page when the original author was unable to be reached.

In accordance with our disclosure policy, Egor Homakov assisted the Authy team by providing time to correct the issue for all customers before publishing his findings. Customers found to be using the affected third party libraries were notified and our security team worked with them to apply the patch. On March 12, 2015, the Authy team sent out a GPG-signed proactive advisory to all of our active customers via email.

We appreciate that Egor responsibly disclosed his research of this vulnerability, and provided us with the time to analyze the issue, correct it and notify customers. As always, we are committed to working with outside security experts and the information security community to ensure transparent, rapid response to any new vulnerabilities.

About the author Simon Thorpe

Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Authy he works closely with the whole team to deliver a world class solution for developers to build security into their applications.

We can text you a link to get started:

Close