A Note From Our Chief Security Officer

Last night we were made aware of a security issue with regards to the manner in which we handle the passing of encrypted passwords within a specific domain. It was brought to our attention that an Egnyte user accessing the “users and groups” management page of their particular domain could use a packet sniffer to see the MD5 encrypted passwords of the other users within their domain. The passwords that are passed belong only to that domain, no other domains are ever accessed, and the passwords are in fact encrypted.In accordance with the January 2009 US Cert vulnerability note VU#836068, we moved away from using the MD5 hashing algorithm, and moved our entire encryption scheme to the Bcrypt standard. Unbeknownst to us, a small piece of legacy code remained, and despite use of a leading third party security risk assessment service the code survived. Once we were made aware, we responded immediately, and have removed the code, and installed a fix.We would like to stress, at no time were unencrypted passwords made visible to anyone, and at no time were the encrypted passwords of one domain made visible to another. We take every possible security breach seriously and we remain ever vigilant in order to provide the best, most secure products and services available in the marketplace. If you would like to learn more about our security, please download our security whitepaper.Sincerely,Kris LahiriChief Security Officer

Get started with Egnyte today

Explore our unified solution for file sharing, collaboration and data governance.

Author
Kris Lahiri

View All Posts
Tags
No items found.
Don’t miss an update

Subscribe today to our newsletter to get all the updates right in your inbox.

By submitting this form, you are acknowledging that you have read and understand Egnyte's Privacy Policy

Thank you for your subscription!

Welcome to
Egnyte Blog

Company News
Product Updates
Life at Egnyte
Industry Insights
Use Cases