Other people's courses appearing in Review?

Thanks for getting in touch with us about yesterday’s Review 360 incident. I’d like to provide more context about what happened and what we’re doing about it. 

Yesterday at 1:47 pm ET, our team published an update to Review 360 that made it possible for a small number of Review 360 users to see content created by users outside their account. 

Customers alerted us about this issue yesterday at 4:53 pm ET, and our team began investigating immediately. We identified the cause and reverted the update at 7:31 pm ET. Since then, our team has been focused on gathering details to share with any users affected by this issue to make sure we’re communicating with folks as soon as possible.  

We’re reaching out to customers who were directly affected by this issue. 

More information is available on our status page: https://www.articulatestatus.com and a full post mortem is available here.

We're working on identifying exactly where our engineering and quality processes broke down here so we can make sure it doesn't happen again. We know we hold an important obligation to safeguard your content and maintain your trust, and we are deeply sorry. We’ll work hard to earn your trust with improved processes. 

If you have any other questions, please reach out to our Support Team directly by emailing Support@articulate.com or opening a Support case.

Since last week’s post-mortem, we’ve dug further into this incident and identified the exact circumstances in which folks could view content that they weren’t authorized to see. We’d like to share this context. 

Right now, the Review 360 engineering team is working on developing a team folders feature. This functionality will allow members of the same Articulate 360 team to organize content into folders that are shared with their teammates. 

To build this feature, the team created a process where users’ dashboards receive updates when teammates create new shared content. Last week, the team released a bug where users could receive updates that were not correctly filtered to members of their team. This bug only occurred in a very specific set of circumstances: when a user navigated from viewing Review 360 content back to the dashboard and while the dashboard was still loading.

This error was limited to displaying the content in the user’s dashboard and enabling the user to view the content. The user wouldn’t be able to duplicate, download, export, rename, or move content. 

What’s Next

We’re working through our process for investigating serious incidents, and that means we’ve appointed an internal incident investigator from outside the responsible engineering team. This investigator will interview team members, review code and internal processes, and ultimately make recommendations to address the gaps that this incident exposed. We’ll update you further with an overview of the types of changes we’re making to ensure this doesn’t happen again. 

Please let us know if you have any questions or if we can provide additional context for your team.

Hi Everyone,

We've resolved the issue and are working to determine who was impacted. We will update you when we have more information.

This isn't a tiny bug, this is a massive security and intellectual property issue. Especially because the links are static (i.e. once someone knows the URL they can still gain access even after it's removed from the homepage.) So now I have no idea which of my thousands of courses might have a security breach. 

Thank you, Traci and Kayla, for reporting this behavior.  We are taking this seriously and our investigation is underway.

As Matthew mentioned, any and all details that you can share with us via a Case are greatly appreciated.  We will keep you updated, both privately and publicly, on the progress of our research.

I think the best course of action is for Articulate to temporary shut down Review 360 until this matter is resolved. As it is a huge breach of privacy.

Password protected content in Review 360 remained protected by the password during this incident.

It seems like the issue was present from around 9am ET yesterday until a change was reverted around 730pm ET yesterday.

It seems to happen on publish (as in shortly after publishing it was showing up on the wrong users homepage for a split second) 

Officially I'm annoyed they haven't given much guidance, but unofficially I'd say if you published any courses during that time period I would delete the publish and republish as an entirely new version (Not new version of existing course because that keeps the same URL) because once someone has the URL they'd retain access until the course is deleted. (I'd download the comments first so you don't lose them, if applicable)

I also suggested to articulate that they change all the URLs on their end (as this way we wouldn't lose all the comments) but I personally can't risk waiting for them to do that.

Yeah! I can open them which is terrifying! I've already grabbed a few screenshots at this point. 

That just happened to me too! I left a comment for the person warning them they should delete that version and publish a new one so I (and anyone else) lose access. The course is gone from my feed but the link still works because it's static. 

This is such a MAJOR breach of security, I might have to stop using this tool entirely to avoid being sued for a breach of NDA. I'm pretty upset.