Announcements

Announcements

  • Security Update RE: User Uploaded Images

    We strive to continuously improve our online services in both functionality and security. To that end, our vendor who provides with with this online communities service performs regular security audits against software and 3rd party libraries.

     

    A recent audit produced two findings regarding images.

     

    The first finding relates to user-uploaded images; it has never been our practice to modify user contributed data. As such, any included Exchangeable Image File Format (EXIF) data was left intact. When a user takes a picture with a camera, supplemental metadata is stored in addition to the picture itself, such as the date, time, and camera settings. Bad actors could potentially glean a lot of information about a user from this data. To address this privacy concern, we are now removing this data by default. Please note this change will only apply to images uploaded after this release.

     

    The second change affects the HTML that can be added via the WYSIWYG editor. A bad actor could manually create an <img> tag link with a malicious tracking URL. After the fix is released, only images uploaded directly via the WYSIWYG editor will be displayed. If you would like to allow additional trusted image sources (such as Dropbox, for example) please reach out to me.

    The fixes for these issues will be released to this site in the first two weeks of March. If you have additional questions about this change, please feel free to reach out to me at any time.

    Justin