Thursday 9th November 2017

Account Server Session cookie vulnerability in the Account Server

We fixed a security issue in the Account Server that allowed altering session cookies. This issue has been reported to the core team following the rules of responsible disclosure during an ethical hacking session in which The Things Network core team participated. The fix was deployed 30 minutes after reporting confidentially. Also, we reset all sessions of all users on all devices to require people to login and ensure safety of their session.

We also launched a page for responsible disclosure of security issues and invite all community members to make The Things Network a secure and safe environment. See Responsible Disclosure for more information.