Review 360: Content access issue
Incident Report for Articulate
Postmortem

On April 6, 2022, the Articulate team made an error in updating Review 360 that made it possible for a small number of Review 360 users to see content created by users outside their account.

What Happened

At 9:19 am ET on March 24, 2022, our team made a change to Review 360 to begin sending an event indicating that a new item was created. This change was made as part of upcoming changes to Review 360, and Review 360 was not listening to or taking any action on this event at this time.

At 1:47 pm ET on April 6, 2022, the Articulate team made a change to Review 360 to begin to listen for this event. When the event was received, a running instance of Review 360 in a user’s browser would display the new review item on the dashboard.

This event was not correctly filtered to a user’s Articulate ID and so other users who had the Review 360 web application running may have seen a review item belonging to another user appear in their dashboard. If the user clicked through to view the review item, they would be able to view the contents of the review item if the content was not password-protected. The user also could have right-clicked the review item and copied the URL without viewing the review item.

Customers alerted us to this issue at 4:53 pm ET. At 7:31 pm ET, we reverted the change to the Review 360 web application. New visitors to the web application were served a version that no longer listened to or took any action on the event.

At 9:41 pm ET, we updated the Review 360 web service to stop emitting the new event.

We identified the Review 360 content that was created between 1:47 pm and 9:41 pm ET on April 6, 2022, and at 2:25 am ET on April 7, 2022,  we began changing the IDs of all of this content to prevent any copied URL from being able to be used to view the item. We completed these updates at  9:01 am ET.

What We’re Doing About It

We’ve audited the content that was affected by this incident and verified that  fewer than 1% of Articulate 360 customers had content that may have been inappropriately viewed. We’re reaching out to those folks individually to answer questions and address their concerns.

We're also working on identifying exactly where our engineering and quality processes broke down here so we can make sure it doesn't happen again. We know we hold an important obligation to safeguard your content and maintain your trust, and we are deeply sorry. We’ll work hard to earn your trust with improved processes.

Once we have further details on our process audit, we’ll share them with you here. If you have any further questions, please create a case and our support team will follow up.

4/13/22 Post Mortem Update

Since last week’s post-mortem, we’ve dug further into this incident and identified the exact circumstances in which folks could view content that they weren’t authorized to see. We’d like to share this context. 

Right now, the Review 360 engineering team is working on developing a team folders feature. This functionality will allow members of the same Articulate 360 team to organize content into folders that are shared with their teammates. 

To build this feature, the team created a process where users’ dashboards receive updates when teammates create new shared content. Last week, the team released a bug where users could receive updates that were not correctly filtered to members of their team. This bug only occurred in a very specific set of circumstances: when a user navigated from viewing Review 360 content back to the dashboard and while the dashboard was still loading.

This error was limited to displaying the content in the user’s dashboard and enabling the user to view the content. The user wouldn’t be able to duplicate, download, export, rename, or move content. 

What’s Next

We’re working through our process for investigating serious incidents, and that means we’ve appointed an internal incident investigator from outside the responsible engineering team. This investigator will interview team members, review code and internal processes, and ultimately make recommendations to address the gaps that this incident exposed. We’ll update you further with an overview of the types of changes we’re making to ensure this doesn’t happen again. 

Please let us know if you have any questions or if we can provide additional context for your team.

Posted Apr 07, 2022 - 16:29 UTC
Resolved
Yesterday at 9:13 am ET, our team published an update to Review 360 that made it possible for a small number of Review 360 users to see content created by users outside their account.

Customers alerted us about this issue yesterday at 4:53 pm ET, and our team began investigating immediately. We identified the cause and reverted the update at 7:31 pm ET. Since then, our team has been focused on gathering details to share with the users affected by this issue so we can reach out to them directly as soon as possible.

To ensure that all content remains secure, we updated the URLs for any content that Review 360 users published during the incident. If you shared review links with reviewers yesterday, you’ll want to provide them with the updated URL.

We're working on identifying exactly where our engineering and quality processes broke down here so we can make sure it doesn't happen again. We know we hold an important obligation to safeguard your content and maintain your trust, and we are deeply sorry. We’ll work hard to earn your trust with improved processes.

We’ll share a post-mortem with further details as soon as possible.
Posted Apr 07, 2022 - 21:00 UTC
Current Status Powered by Atlassian Statuspage