Security Incident: Involuntary Information Disclosure

Earlier today, we have received a report where the web client may inadvertently disclose the so-called common name of accounts within the same domain name space.

The impact is limited to users that use one of the domain names provided by Kolab Now, including domains such as “mykolab.com”, “kolabnow.com” and “medicmail.ch”.

The involuntary exposure is limited to the given name and surname provided in the registration form.

No calendar data nor calendar information nor scheduling information has been exposed. A user that registered themselves as “John Doe” might have had solely “an account named ‘John Doe’ exists”, exposed.

That being said, it still constitutes involuntary information disclosure, and we closed the gap as fast as we could. Determining where the underlying issue is actually at fault has taken us approximately 50 minutes. Working around the underlying issue has taken us an additional 15 minutes. Applying the fix throughout the Kolab universe has taken us an additional 90 minutes, and the update to software is currently undergoing testing.

We’d like to thank the reporter of the issue, and would like to let you know he/she has been awarded CHF 50,- credit to their account.