Security Update: Firestore Rules
We want to inform you of security updates on Throne. With the help of a security research group specialized in pressure testing the security of databases and websites we identified an issue in our Firestore rules. Firestore is the database system we use, which is run by Google out of the US. No data was compromised or viewed by any unknown party at any time. We directly updated the security measures after our systems had been pressure tested. This article aims at explaining the details of the measures we took. We updated the security measures within less than 15min after they have been identified. As no data was compromised by any unknown parties, there are no actions required from the users' side.
In late March a version of Throne was shipped which had misconfigured Firestore rules. This made it possible for the security researchers to read some data which should not have been available such as the blocked IP addresses we maintain for fraud prevention purposes and session cookies for a small subset of our merchant accounts.
We were informed of this by the German Security Research Collective “Zerforschung” and the message reached our engineering team at 19:37 on the 03/30/2023. After being informed of the issue, we were able to fix this in a matter of minutes, with a fix being deployed at 19:44 on the 03/30/2023.
Once the security measures were updated, we investigated if users were affected and if there was any risk to personal data. Using IP logs we discovered that there was no risk and no unknown party had viewed any data. This, combined with the fact that it was nearly impossible to link any data found in these merchant accounts to Throne user data, let us conclude that no data risk existed. Moreover, we got an external opinion from a German data privacy expert who confirmed that there was no data risk. Still, we want to be transparent about the security updates we took.
What are the next steps for Throne?
Of course, data security is our utmost priority. No data has been accessed by unknown parties. Still, we took further steps to learn from this occasion:
- We have increased the frequency of penetration tests on the system where we work with an external agency to test the security of the site.
- We have improved internal code review practices to include the review of any constants data saved into the database and a special review for access rights.
This has elevated Throne’s high level of security to an even higher standard.
We want to thank Zerforschung for helping us make the Throne application safer by flagging this Firestore security rules issue to us. Application Security Researchers such as Zerforschung are instrumental in keeping the web safe for everyone.
What does this mean for you?
Nothing. No data was accessed by unknown parties and so this article is only there for transparency. No action needs to be taken.