June 2, 2021

Re: Security Advisory

Dear Proca User,

We are getting in touch to let you know about a security issue that was raised with us. To be clear: there is nothing to suggest any data was breached and we think it is a very low likelihood. We decided to contact you because we have published a security advisory on Github and don’t want anyone to be unduly worried, and because we are going to make changes to tracking dashboard users to improve our security. This will be reflected in a future change to our privacy policy and terms of use.

We continue to take data privacy and security very seriously. This was part of the whole purpose of creating Proca, and we encourage all users to encrypt supporter data to keep it secure.

Summary:

  • Any supporter data which was encrypted is unaffected and totally protected. This is why encryption is so important!
  • There is no evidence that any such hacking happened, and we undertook an audit immediately afterwards to check if anything was out of place, finding nothing.
  • The vulnerability was that it was possible for you or one of the other trusted campaigners part of our existing campaigns to hack to give themselves admin privileges and then join other organisations, and therefore access their (encrypted or not) data. This was only possible for a technically skilled person who reviewed the source code of Proca backend, and it has already been fixed.
  • We undertook an audit and found nothing to indicate there had been any breach. There were no users with any permissions that they should not have nor any unexpected user accounts and all encryption keys were exactly in order. Encrypted data and ECI signatures were never at risk.
  • We therefore think it is a very low probability that there was any actual data breach, even though it cannot be completely excluded theoretically. We still wanted to let you know to give a more complete picture and so that nobody is unduly worried by the security advisory notice on Github.
  • All software will have bugs and some will affect security. Because our software is released under a free license, external users can conduct security audits and help us all be safer.

If you have any questions or wish to discuss this further feel free to get in touch.

All the best, The Fix the Status Quo Team