Newsletter

Security issue with local storage in YouTrack Workflow Editor

As you may already know, a security vulnerability was found in the YouTrack Workflow Editor. Here is a detailed overview of what happened.

What happened
On March 7, 2017, we discovered a security issue in the YouTrack Workflow Editor. When using your YouTrack credentials or JetBrains Account credentials to submit an exception report from inside the Workflow Editor (anonymous reports would not be affected by this), or authorise the Workflow Editor to connect to your YouTrack instance, the supplied credentials would be stored in the user directory in unencrypted format. While this does not pose an imminent security risk as the user folder is accessible only by the specific user, those that would be able to access this file could see the credentials exposed.

What actions we have taken
Latest version of YouTrack Workflow Editor resolves this issue. It doesn’t store user credentials in the configuration folder any longer. This version will delete the file containing unencrypted data on first execution. From there on it will prompt for credentials on every connection.

What actions you should take
Please update your installation of YouTrack Workflow Editor using the instructions and launch the application.
If you believe that someone may have accessed your local home folder and potentially seen your credentials, we’d recommend changing these.

We are very sorry for any inconvenience that you might have experienced. If you need any further assistance, please contact our Support Engineers.

The Drive to Develop
YouTrack Team