Security issue with local storage in YouTrack Workflow Editor

As you may already know, a security vulnerability was found in the YouTrack Workflow Editor. Here is a detailed overview of what happened.

What happened
On March 7, 2017, we discovered a security issue in the YouTrack Workflow Editor. When using your YouTrack credentials or JetBrains Account credentials to submit an exception report from inside the Workflow Editor (anonymous reports would not be affected by this), or authorise the Workflow Editor to connect to your YouTrack instance, the supplied credentials would be stored in the user directory in unencrypted format. While this does not pose an imminent security risk as the user folder is accessible only by the specific user, those that would be able to access this file could see the credentials exposed.

What actions we have taken
Latest version of YouTrack Workflow Editor resolves this issue. It doesn’t store user credentials in the configuration folder any longer. This version will delete the file containing unencrypted data on first execution. From there on it will prompt for credentials on every connection.

What actions you should take
Please update your installation of YouTrack Workflow Editor using the instructions and launch the application.
If you believe that someone may have accessed your local home folder and potentially seen your credentials, we’d recommend changing these.

We are very sorry for any inconvenience that you might have experienced. If you need any further assistance, please contact our Support Engineers.

The Drive to Develop
YouTrack Team

Comments below can no longer be edited.

4 Responses to Security issue with local storage in YouTrack Workflow Editor

  1. Avatar

    Iruwen says:

    March 17, 2017

    The lack of proper TLS support is way more important and has never been addressed.

  2. Avatar

    foo says:

    March 17, 2017

    The Workflow Editor requires a JDK-Version from the stone age. Seriously?

    • Avatar

      Natasha Katson says:

      March 20, 2017

      Well, for now. But as I’ve mentioned in the previous comment, this problem will be solved when the new editor is released.

Discover more