Security issue with local storage in YouTrack Workflow Editor

As you may already know, a security vulnerability was found in the YouTrack Workflow Editor. Here is a detailed overview of what happened.

What happened
On March 7, 2017, we discovered a security issue in the YouTrack Workflow Editor. When using your YouTrack credentials or JetBrains Account credentials to submit an exception report from inside the Workflow Editor (anonymous reports would not be affected by this), or authorise the Workflow Editor to connect to your YouTrack instance, the supplied credentials would be stored in the user directory in unencrypted format. While this does not pose an imminent security risk as the user folder is accessible only by the specific user, those that would be able to access this file could see the credentials exposed.

What actions we have taken
Latest version of YouTrack Workflow Editor resolves this issue. It doesn’t store user credentials in the configuration folder any longer. This version will delete the file containing unencrypted data on first execution. From there on it will prompt for credentials on every connection.

What actions you should take
Please update your installation of YouTrack Workflow Editor using the instructions and launch the application.
If you believe that someone may have accessed your local home folder and potentially seen your credentials, we’d recommend changing these.

We are very sorry for any inconvenience that you might have experienced. If you need any further assistance, please contact our Support Engineers.

The Drive to Develop
YouTrack Team

About Natasha Katson

Natasha Katson is a Team Tools Product Marketing Manager at JetBrains.
This entry was posted in events, newsletter and tagged , . Bookmark the permalink.

4 Responses to Security issue with local storage in YouTrack Workflow Editor

  1. Iruwen says:

    The lack of proper TLS support is way more important and has never been addressed.

  2. foo says:

    The Workflow Editor requires a JDK-Version from the stone age. Seriously?

    • Natasha Katson says:

      Well, for now. But as I’ve mentioned in the previous comment, this problem will be solved when the new editor is released.

Leave a Reply to Natasha Katson Cancel reply

Your email address will not be published. Required fields are marked *