Possible data breach of IETF t-shirt system

IETF Executive Director <exec-director@ietf.org> Thu, 01 April 2021 21:59 UTC

Return-Path: <exec-director@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BB6C43A2503 for <ietf-announce@ietf.org>; Thu, 1 Apr 2021 14:59:15 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: IETF Executive Director <exec-director@ietf.org>
To: IETF Announcement List <ietf-announce@ietf.org>
Subject: Possible data breach of IETF t-shirt system
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: admin-discuss@ietf.org
Message-ID: <161731435568.25509.1647220115077071240@ietfa.amsl.com>
Date: Thu, 01 Apr 2021 14:59:15 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/exMKqyRTCeEqNPicXLJv5GmQdoQ>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 21:59:16 -0000

For the avoidance of doubt, this is not an April Fool's day prank.

We were informed yesterday of a fault in the IETF meeting t-shirt system that allowed someone to retrieve the name, size and delivery address of a third party using a simple URL rewrite.  The system was shut down and an investigation conducted to determine if any data had been breached other than by the reporter.  So far this investigation shows no breach but efforts will continue until we have confirmed that with a high degree of confidence.  The affected system has been  changed to close the vulnerability and is back online.

I wish to extend our thanks to the reporter for alerting us directly and confidentially.

Please feel free to contact me directly if you have any questions.

Jay

-- 
Jay Daley
IETF Executive Director
exec-director@ietf.org