12 October 2020 Security incident

At 18:40 UK time 12 October 2020, A malicious user exploited a security bug (T117: [CVE-2020-15251] makemodechange failed to check access on restricted changes for self actions allowing ACL bypass {Version 9.0.0 - 9.0.2}) on our production channel in front of us.

We quickly moved to bring the situation under control with myself, @Reception123 and @Sario528 quickly getting to work.

Our bots were taken offline at 19:05 as we began to work on a fix.

By 19:35, A fix was being wrote and @MacFan4000 joined to help. 50 minutes later, we deployed an attempt to fix it which failed.

By 21:18, all services were back and we had deployed and disclosed the issue.

Mistakes happen and we did our best to fix it when we found out. We're always learning. We remain disappointed that someone took advantage of us and encourage all other users to responsibly handle issues.

Thanks to everyone involved,

Written by RhinosF1 on Oct 12 2020, 8:54 PM.
Technical Lead

Event Timeline