INCIDENT SUMMARY: SQL DISPLAY

When a user added auto-renewal via the Checkout page for NetShade, certain conditions could cause an SQL error, which would in turn cause the failing SQL query to be displayed on the screen. This created two security issues: 1) The display of raw SQL, and 2) The display of the user's personal details including payment information.

POTENTIAL HARM

In practice, it's unlikely that this bug caused any tangible security-related damage. No user data was leaked to unentitled parties, and although the server was displaying sensitive information, it was shown only to the same user who entered it. Reinforcement of certain best practices in server configuration will reduce the likeliood of further incidents of this type.

MITIGATION

SQL error display has been turned off on our web server. The autorenewal feature was temporarily removed from the order page until the underlying issue was fixed.

-Tyler Rayner
September 30, 2019