We at SimplyBook.me ltd., (Limassol, Cyprus) put security and privacy as our top priority. Last year we were one of the first SaaS companies to implement all controls required by GDPR into our software and embraced the policies of these new privacy regulations.
As part of our security and privacy procedures, we inform our users of security-related incidents that arise in our system and can potentially affect them. The following is such an incident.
Our team was informed by one of our users (a security expert company with permission to perform security scans) about a security issue on Sunday, 2019/05/12, and it was fixed the same day.
No one, besides the security specialist, has contacted us about this issue nor has anyone maintained to have acquired any personal data and after our own investigation, we do not have a reason to believe that this vulnerability was used to gain access to user’s data. However, since it was present in the system we are publishing this incident to our users in this blog, as well as a notification in all user systems, and also to the Commissioner of Personal Data in our jurisdiction.
What was the problem:
A library component in a framework we use was not working as expected and caused a serious security hole. It only affected part of our servers and not all of them.
This security issue involves the accounts of our European and Asian users (booking pages that end with .asia or .it) as there is a different display mechanism on other world servers i.e. the .me pages (USA, CANADA, AUSTRALIA, SOUTH AMERICA, AFRICA, SE ASIA) making the exploit invalid.
This vulnerability, if used by a malicious and skilled hacker, could potentially cause account data disclosure of our users (including their client data), whose accounts would reside on the same server as the hacker’s account. However, credit card details are never processed on our web site and therefore would not be affected by this issue.
The data accessible by a potential intruder could include:
1) Name (in some interfaces First Name and Last Name); Unique identifier; Picture; OpenID
2) Email address; Phone number; Physical address
3) Notifications: Booking related (email and SMS); Promotional (email and SMS); Occasional messages (emails and SMS from reports); System user emails; Reviews; Contact widget messages
4) Salted hash of Passwords (encrypted)
5) Medical and Health Information – SOAP information and medical history (The new SOAP module is fully encrypted with private keys and would not be affected by such incident)
6) Payments history; Services and products price
7) List of bookings (with additional fields, history of changes if any, booking statuses if any, comments if any); Registration date time; Logs; IP address; Browser fingerprints; Last access date-time
8) SimplyBook.me account data Payment systems with user keys; SMTP username and password; Gallery (logo, background, gallery, catalog, promotions, uploaded photos); connected Google / Outlook calendars
What was done by us:
- Code was updated to prevent framework library error and additional measures were taken to further limit uploading and execution of files.
- Server’s code was checked for consistency, possible bookmarks. No bookmarks were found.
- All server passwords were changed, all public and private keys were changed.
- Web server logs were inspected, no traces of exploit execution were found.
What you can do:
You may consider, depending on your company policies and country regulations, whether to inform your clients about this security issue.
This issue has been fixed and we will continue to do our best and work with security specialists to protect your and your client’s data in the future and keep you fully informed about this and any other incidents that might arise.
I am sincerely sorry that we failed to notice this issue internally and that it was pointed out to us by an external security expert instead of us finding it beforehand. We will review our security procedures and processes going forward to harden our security further.
Rut Steinsen – CEO