Security Notice: Format Injection Vulnerability

Egor Homakov, an independent security researcher from Sakurity, responsibly disclosed a “Format Injection” vulnerability that affected the Authy service through a commonly used open source library.

Through the Authy security team’s immediate investigation we performed a forensic analysis to confirm that this vulnerability was not exploited. A comprehensive review of our API logs indicated that this vulnerability was not used against the Authy service at any time.

Next, the team notified the author of the affected library of the vulnerability. Third a comprehensive audit was conducted of other third-party libraries and community helper libraries for the same issue. Finally, patches were applied to the service and patched forks of community helper libraries were published via the Authy Github page when the original author was unable to be reached.

In accordance with our disclosure policy, Egor Homakov assisted the Authy team by providing time to correct the issue for all customers before publishing his findings. Customers found to be using the affected third party libraries were notified and our security team worked with them to apply the patch. On March 12, 2015, the Authy team sent out a GPG-signed proactive advisory to all of our active customers via email.

We appreciate that Egor responsibly disclosed his research of this vulnerability, and provided us with the time to analyze the issue, correct it and notify customers. As always, we are committed to working with outside security experts and the information security community to ensure transparent, rapid response to any new vulnerabilities.