Possible Information Disclosure Issue
Each Petition Delivery PDF generated by ControlShift includes (depending on how the platform is configured):
- Either the first name and last name, or first name and last initial, first name only, or just initials of each signer.
- The postcode of each signer, optionally.
- Other custom fields, optionally.
This could in theory allow someone other than the petition creator to access Petition Delivery PDFs for campaigns they did not create.
The severity of this issue is mediated by several circumstances that make the real world impact of this vulnerability potentially less serious.
- All Petition Delivery PDFs are intended for public delivery to a decision maker and are exposed to the Petition Creator by design. While they do include information about signers that may be personally identifying, these member-generated PDFs do not include email addresses, phone numbers or other particularly sensitive information.
- Only organizations who are using the Petition Delivery feature and whose Petition Creators have actively created PDF delivery documents are affected. Organizations who do not use this feature, and all petitions that were not delivered are not affected.
- Only petitions with more than 500 signatures could have been affected.
- Any given PDF is only available for seven days from the time it was generated.
- The Petition Delivery PDF retrieval URLs are in practice somewhat difficult to guess as they include both an identifying number, which is specific to that individual request to generate a Petition Delivery PDF, and the petition slug. These pieces of information must match for any request to succeed during the seven-day window that the PDF is available.
For this vulnerability to be exploited, all of the above conditions would need to have been met. If any of the above were not true – if the user did not guess the identifying number, match it to the correct petition slug, and go to the URL within the seven-day period – they would have seen an error page and been unable to retrieve any user information. We take our responsibilities as a service provider extremely seriously, which is why we're sending this notification, despite having no evidence that this vulnerability was abused.
Additionally, please note that this issue does not affect CSV exports at all, nor does it affect any other data stored in the ControlShift database.
9 July 2019 at 9:30 AM ET: ControlShift was informed of the potential vulnerability by a customer, and we began investigation of this issue.
- 10 July 2019 at 3:30 PM ET: Code update released to production for ControlShift-hosted customers, requiring authentication before being able to retrieve the delivery PDF. Self-hosted customers notified of the need to patch their systems.
- 11 July 2019 at 9 AM ET: All ControlShift-hosted customers notified after self-hosted customers patched their systems.
We appreciate the customer who brought this issue to our attention, and we encourage anyone with security concerns to contact our support team at firstname.lastname@example.org.
We take these issues seriously, which is why our security program includes third-party audits, automated static analysis, peer code review for security issues, and training for staff.
The ControlShift Team