Pi-hole, a trusted and widely adopted open-source network security solution, experienced a security incident involving the inadvertent exposure of user information submitted through its donation page. The breach was limited to names and email addresses; no payment details or verified personal information were compromised.
The exposure occurred when donor names and email addresses entered via the Pi-hole donation form on their official site were unintentionally made publicly accessible through the website’s source code. Anyone with basic web inspection tools could view the information. Fortunately, payment data such as credit card numbers, are unaffected and remain securely managed by the used third-party providers. But the visibility of donor names and emails can pose privacy risks to users, such as targeted spam or phishing attempts.
The issue was identified after multiple reports from community members, and pointed toward the donation plugin, GiveWP. This vulnerability, which allowed donor information to be publicly visible and had been publicly disclosed on GitHub before the fix was released. Developers deployed the patch within hours with the delay between public disclosure and release of the fix being about 17 hours.
While the vulnerability was promptly patched, concerns were raised about the timeframe before the fix was publicly available. The Pi-hole team emphasized that no payment or verified personal data was exposed. They did also express concern with the developer’s communication, including the timeframe before a fix was available and response not addressing the potential impact of the data exposure.
They also clarified that the core Pi-hole product remains unaffected and that no action is required from users with Pi-hole installations.
Software vulnerabilities can sometimes emerge unexpectedly, even when systems are carefully maintained. Organizations relying on external tools should implement proactive security measures, including regular updates and vigilant oversight, to help address these challenges and safeguard user data.
Learn more about the incident and updates on their announcement post.
Leave a Reply