23 August 2023 security audit #4
wnm210
announced in
Announcements
Replies: 3 comments
-
August 26 updateWe are no longer using Cloudflare as our authoritative DNS service. NOVE-C-001 is now fully resolved. |
Beta Was this translation helpful? Give feedback.
0 replies
-
August 29 updateWe removed all EXIF data from images and videos you uploaded to Files and we strip it from new uploads automatically which means that NOVE-C-002 is resolved. |
Beta Was this translation helpful? Give feedback.
0 replies
-
September 4 updateWe have implemented account deletion page so users can delete their accounts easily without the need to contact the support. NOVE-H-001 is fully resolved. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
All critical vulnerabilities are patched successfully as of 29 August 2023
Our response to security audit "A-pi8L87KjGU6s"
Oliwier Jaszczyszyn performed "non-exhaustive security analysis" of Nove Group on 23 August 2023. We have been informed about it on 24 August 2023 at 11:24 PM. We took actions immediately and we fixed most of the issues.
List of resolved issues (all)
More details
NOVE-C-001
We are still using Cloudflare (hopefully this will change soon). But, traffic that comes through it is already encrypted by us through Certbot certificate that we have generated on our server. That means Cloudflare is not able to decrypt it.We are no longer using Cloudflare as our authoritative DNS service.
NOVE-M-001
File sharing service does not gain the access automatically after account registration. This is misunderstanding. We did not put any information that the tab "App connections" is under ongoing development and it does not work, and that's our bad. Records that exist in that category are fictional, only for showcase purposes. We have added a notice about that.We successfully implemented OAuth2 connections on Account page in the dashboard.
NOVE-H-001
We have added a line to our privacy policy that user can delete their account by reaching out to us through e-mail. We did not implement account deletion endpoint in our API yet. We are going to add it as soon as possible.We have implemented account deletion page so users can delete their accounts easily without the need to contact the support.
NOVE-C-002
We have removed all existing EXIF data from uploaded files. Currently, we are not able to fix that issue. Because it's critical, uploading on files.nove.team is paused temporarily until the issue is fixed.Now, we remove all EXIF data from images and videos you upload to Files.
NOVE-L-001
Files is scheduled to be rewrited after we finish our side-projects. When we will do that Files will support all mime-types, setting your uploads to private or public and even encrypting the uploads with a custom password.
Closing words
Thanks to Oliwier for performing the audit of our services. We're looking forward for analysis from other companies or/and private individuals.
We will post more updates on this topic in the comments as they occur.
Download full audit file: nove_security_audit.pdf
Beta Was this translation helpful? Give feedback.
All reactions