
Buffer: Bug in Login System - chmars
I have just received the following e-mail from Buffer:<p>Hi there,<p>We wanted to proactively reach out to you about a bug in our login system that we identified on Friday and resolved over the weekend.<p>This bug affected 0.00599% of Buffer users (467 out of 7,800,000), and we have reached out to those 467 people separately.<p>When a user logs in, we create an access token that secures their login and gives them access to Buffer. We identified a bug with this login system that made it possible in very rare cases for two accounts to share one access token. This would cause one of those Buffer users to log in to the incorrect account.<p>This issue is fully resolved. Our team has implemented a more secure system for granting these tokens, which ensures that all account access is private, safe, and secure.<p>To be especially clear: No passwords were compromised. No credit card details were at risk. This was a technical bug within our system and not a malicious event or hack from an outside party.<p>We’ve taken precautions to upgrade all Buffer accounts to our new login system. If you use a Buffer mobile app, you will need to log back in; if you use a third party app (like Zapier), you will need to reconnect.<p>Lastly, I’d like to send a big thank you to the customer who made us aware of this. We’re always amazed by the community we get to serve.<p>Photo of Dan.
Dan Farrelly, CTO
======
uri3000
How can this even happen, technically?

~~~
gitgud
It seems 2 accounts coincidentally get the same login token. Not sure how this
could happen, perhaps a problem with the hash algorithm?

------
tnolet
My only question is why they built their own login system? Isn't this a golden
rule: never build your own auth.

~~~
jchw
No, the golden rule is never build your own _crypto_. Building your own auth
is damn near inevitable unless you are running a fairly simple operation and
off the shelf Django or RoR components are good enough.

~~~
gcsm
Actually, it should be never build your own non-open source crypto.

------
jamespetercook
I got this email too

~~~
raffijacobs
I've got this email for 4 users so far and know of another 2 affected.

