The SecureDrop project uses a self-hosted installation of Weblate for translation into supported languages. On Sunday, an independent security researcher reported a Weblate misconfiguration through our bug bounty program. The misconfiguration enabled any user to log into Weblate as an administrator using default credentials. Our logs do not indicate that this access was ever used inappropriately.
This misconfiguration does not impact SecureDrop, as all changes made via Weblate go through two stages of review (first through the Weblate interface itself, and later as a Pull Request to the main SecureDrop code repository, where a maintainer will manually inspect all translated strings).
Upon receiving the report, we immediately updated the configuration, conducted an internal investigation, rebuilt the servers, and reset all user credentials.
An adversary would have been able to access translators’ email addresses, impersonate translators, modify the Weblate configuration, or modify translations directly. Our logs indicate that no third parties other than the security researcher who reported the issue and Bugcrowd, who validated the submission, have accessed Weblate using these credentials.
If you are a translator and you use your email address and password to log in, you will need to use the password reset feature. If you have previously used GitHub to log in, you will need to re-authorize GitHub to do so - you can do this by logging in again with GitHub and following the prompts.
We apologize for the error and for the resulting inconvenience.