Hello all - I’d like to share some information about a security issue we discovered and repaired this evening.
We noticed this evening around 4PM PDT that our links to share High Fidelity snapshots on social media included the user’s OAuth access token in the URL when shared from inside of Interface. At this time we do not have any evidence that any access tokens were obtained and used via this exploit.
We have invalidated all access tokens generated by Interface clients from the past 30 days (a granted token expires a month later). This ensures that any access token that was inadvertently shared is no longer valid and cannot take any authenticated actions against your account.
You will need to logout and log back into Interface to obtain a new access token. Until then, though Interface may show your username in the window title, you are effectively logged out and will not be able to perform actions that typically require authentication.
We have already deployed a change to the website to fix the social links from the snapshot page. This fixes the current issue meaning that the snapshot/share feature is safe to use and will not require any further token invalidation.
We are working on a fix to Interface to move the OAuth access token from the query string to the HTTP headers for requests to the High Fidelity API. This will ensure that in the future any other actions on High Fidelity web pages taken through Interface will not have access to the OAuth access token via the query string.
I want to re-iterate that the privacy and security of your account are extremely important to us. I am happy to provide any additional information or technical details you request below.