Django template vulnerability

Resolved
Resolved

We've now resolved the incident. Thanks for your patience.

Recovering

We've found a hard-coded secret value in the source code of the official Django template. Because the source code of a repl is often publicly viewable, the secret can be stolen by anonymous users and be used to decode authenticated messages and impersonate logged in users to the Django application.

We have rectified the template, forcing users to use a generate a secret and store it in the "Secrets (Environment Variables)" tab because they can run their app.

We are in the process of rolling out a security update to users who have previously created Django repls from that template, which performs the code fix of removing the hard-coded value, and also automatically generates a secret on behave of the user.

Processed all repls created from the offical Django template: 3817, estimated upgraded 3600 of them. Currently looking through the ones that were skipped just to make sure (they didn't match the hard-coded value in the source code).

Began at:

Affected components
  • replit.com