Other people's courses appearing in Review?

Is anyone else seeing other people's courses appearing in their Review site?

Every time I return to my review page I see a new course from another author. The course disappears on refresh, but then when I return I see a different one from someone else. 

This has been happening on and off for the last few hours, just curious if it's just me. 

24 Replies
Kayla Burtch

That just happened to me too! I left a comment for the person warning them they should delete that version and publish a new one so I (and anyone else) lose access. The course is gone from my feed but the link still works because it's static. 

This is such a MAJOR breach of security, I might have to stop using this tool entirely to avoid being sued for a breach of NDA. I'm pretty upset.

Kayla Burtch

This isn't a tiny bug, this is a massive security and intellectual property issue. Especially because the links are static (i.e. once someone knows the URL they can still gain access even after it's removed from the homepage.) So now I have no idea which of my thousands of courses might have a security breach. 

Justin Grenier

Thank you, Traci and Kayla, for reporting this behavior.  We are taking this seriously and our investigation is underway.

As Matthew mentioned, any and all details that you can share with us via a Case are greatly appreciated.  We will keep you updated, both privately and publicly, on the progress of our research.

Matthew Bibby
  1. So these courses were showing up in the wrong accounts for 8 hours?
  2. Why wasn’t Review taken offline? 
  3. Why did it take Articulate hours to acknowledge the issue?
  4. Do you know what courses were accessed by people who shouldn’t have had access to them? Have those customers been notified?
  5. Why hasn’t the wider Articulate community been told about this?
  6. Why wasn’t this major security issue listed on articulatestatus?
  7. How could this happen? 
  8. How will you regain our trust?
  9. Do the URLs saved by people during this breach still allowing them to access others content?
Kayla Burtch

It seems like the issue was present from around 9am ET yesterday until a change was reverted around 730pm ET yesterday.

It seems to happen on publish (as in shortly after publishing it was showing up on the wrong users homepage for a split second) 

Officially I'm annoyed they haven't given much guidance, but unofficially I'd say if you published any courses during that time period I would delete the publish and republish as an entirely new version (Not new version of existing course because that keeps the same URL) because once someone has the URL they'd retain access until the course is deleted. (I'd download the comments first so you don't lose them, if applicable)

I also suggested to articulate that they change all the URLs on their end (as this way we wouldn't lose all the comments) but I personally can't risk waiting for them to do that.

Kayla Burtch

I'm really upset that when they were notified they didn't *immediately* shut down review 360, it's too big a breach for them to have taken THREE HOURS to act. 

Bad enough that it took 5-6 hours before they were even notified to begin with, but that's outside their control.

Their reaction when they WERE notified is unacceptable. With a breach that serious they should be proactive not reactive in their response. 

Mike Olivieri

Thanks for getting in touch with us about yesterday’s Review 360 incident. I’d like to provide more context about what happened and what we’re doing about it. 

Yesterday at 1:47 pm ET, our team published an update to Review 360 that made it possible for a small number of Review 360 users to see content created by users outside their account. 

Customers alerted us about this issue yesterday at 4:53 pm ET, and our team began investigating immediately. We identified the cause and reverted the update at 7:31 pm ET. Since then, our team has been focused on gathering details to share with any users affected by this issue to make sure we’re communicating with folks as soon as possible.  

We’re reaching out to customers who were directly affected by this issue. 

More information is available on our status page: https://www.articulatestatus.com and a full post mortem is available here.

We're working on identifying exactly where our engineering and quality processes broke down here so we can make sure it doesn't happen again. We know we hold an important obligation to safeguard your content and maintain your trust, and we are deeply sorry. We’ll work hard to earn your trust with improved processes. 

If you have any other questions, please reach out to our Support Team directly by emailing Support@articulate.com or opening a Support case.

Justin Grenier

Hi, Janet.

We’ve audited the content that was affected by this incident and verified that fewer than 1% of Articulate 360 customers had content that may have been inappropriately viewed. At around 3:30 PM EDT today, we emailed those folks individually to answer questions and address their concerns.

If you have any other questions, please reach out to our Support Team directly by emailing support@articulate.com or opening a Support Case.

Justin Grenier

Since last week’s post-mortem, we’ve dug further into this incident and identified the exact circumstances in which folks could view content that they weren’t authorized to see. We’d like to share this context. 

Right now, the Review 360 engineering team is working on developing a team folders feature. This functionality will allow members of the same Articulate 360 team to organize content into folders that are shared with their teammates. 

To build this feature, the team created a process where users’ dashboards receive updates when teammates create new shared content. Last week, the team released a bug where users could receive updates that were not correctly filtered to members of their team. This bug only occurred in a very specific set of circumstances: when a user navigated from viewing Review 360 content back to the dashboard and while the dashboard was still loading.

This error was limited to displaying the content in the user’s dashboard and enabling the user to view the content. The user wouldn’t be able to duplicate, download, export, rename, or move content. 

What’s Next

We’re working through our process for investigating serious incidents, and that means we’ve appointed an internal incident investigator from outside the responsible engineering team. This investigator will interview team members, review code and internal processes, and ultimately make recommendations to address the gaps that this incident exposed. We’ll update you further with an overview of the types of changes we’re making to ensure this doesn’t happen again. 

Please let us know if you have any questions or if we can provide additional context for your team.