Django template vulnerability
We've now resolved the incident. Thanks for your patience.
We've found a hard-coded secret value in the source code of the official Django template. Because the source code of a repl is often publicly viewable, the secret can be stolen by anonymous users and be used to decode authenticated messages and impersonate logged in users to the Django application.
We have rectified the template, forcing users to use a generate a secret and store it in the "Secrets (Environment Variables)" tab because they can run their app.
We are in the process of rolling out a security update to users who have previously created Django repls from that template, which performs the code fix of removing the hard-coded value, and also automatically generates a secret on behave of the user.
Processed all repls created from the offical Django template: 3817, estimated upgraded 3600 of them. Currently looking through the ones that were skipped just to make sure (they didn't match the hard-coded value in the source code).
- replit.com
Find Your Subscription
We’ll find your subscription and send you a link to login to manage your preferences.
Check Your Inbox
We’ve found your existing subscription and have emailed you a secure link to manage your preferences.
Subscribe to Status Updates
We’ll use your email to save your preferences so you can update them later.
-
Slack
Subscribe to other services using the bell icon on the subscribe button on the status page.
Unsubscribe Completely?
You’ll no long receive any status updates from Replit Status, are you sure?
{{ error }}
You’re Unsubscribed!
We’ll no longer send you any status updates about Replit Status.