Cornerstone status

23rd September 2020

Security vulnerability discovered

Right after midnight September 22nd 2020, we experienced a security breach. The breach was done through an sql-injection vulnerability that had gone under our radar for 8 years. This error does not reflect common practice for coding in our company at that time, and neither does it now. The vulnerability was quickly closed the same morning, and the sessions table was wiped. Through very strong logging mechanisms, we were able to quickly isolate and identify exactly the leaks in the system relating to personal data. We can establish with certainty that no tables set aside for storing personal info were exposed, with one exception; the user account table and the session table. That is the only place where there are a few fields that are not thoroughly encrypted. Out of 19000 user accounts at the time, 12% experienced leaks. Most of them not so severe, but a selected few (24), slightly more severe as follows:

  • For 15 accounts, the username, email address and an encrypted password* was leaked.

  • For 9 accounts, the email address and encrypted password* were leaked.

  • For 1091 accounts, the username and encrypted password* were leaked.

  • For 1154 accounts, the email address was leaked. This only reveals that the user holding that email has a user account in the system. The Cornerstone Platform is so widely used that this fact alone can not reasonably infer anything else about the user.

*) This password can not directly be used, but it is possible for a skilled individual to reverse engineer this password through brute force computing.

What have we done: We immediately closed the backdoor and wiped the user sessions. We took measures to upgrade password security for everyone, starting September 24th, as follows:

  • Password requirements will be more complex, and all old passwords were wiped.

  • Encryption method for passwords will be significantly lifted from MD5 to Blowfish. Also, usernames and email addresses are now also encrypted in the user table.

  • We will even more actively encourage our clients to use MFA by SMS to augment username/password, or even BankID as a much safer alternative

  • We analyzed the behaviour following the breach to ensure that no further personal information was accessed, and we can state confidently that it was not. This is due to very strong logging features in the system.

All users mentioned above, where encrypted password were leaked, were individually contacted by email For legal (GDPR) purposes, and for full disclosure/transparency, this incident was reported to Norwegian data protection authorities (Datatilsynet), as well as reported publicly here on iscornerstoneup.com Our customer support by phone has been extended this week till 20:00 (GMT+1) on Friday, and 9-17 on Saturday, and by email/facebook, it is available all weekend. This is to aid with issues that might arise after passwords need resetting.

For any questions you may have, please call Kommunion data protection officer, CEO Anders Torvill Bjorvand on +47 91749433, and he will be happy to answer them.