We recently fixed an information leak in our Sidekick plugin.
Specifically, a user’s API keys could be leaked when sharing a .BNDB
database with someone else. Thankfully, this
issue did not expose user data in any way, but could have been used to gain free access to the service with another
user’s key. Additionally, this issue was discovered during internal testing and we do not have evidence it was
abused externally prior to identifying and correcting the issue.
If we have made this mistake, it’s likely other plugin authors may have as well, so we wanted to write up this post to provide more details about the issue and what we’ve changed in the API itself to mitigate it.
Read more...