Yesterday, I was made aware of a security vulnerability with our Private Messaging system. Upon confirming the issue, the PM system was shut down until a patch was issued about half-an-hour later. It has been confirmed that this vulnerability has existed as far back as 2013; however, recent changes to the website caused the flaw to become visible and thus more easily exploited. While the security flaw did not allow one user to specifically target the PM's of another user, it did allow a user to view PM's for which he was not the intended recipient.
As the Technology Officer for TexAgs, it is my responsibility that our services perform to their intent, and while TexAgs makes no guarantees about the secure nature of PM's, it is our intention that that be a closed conversation between two users. I apologize for us not upholding this intent.
As this issue came to light within our forums, two questions were presented that I believe should be addressed further.
1. Is my payment information secure?
TexAgs does not retain sensitive payment information within its servers. We utilize a payment processing service by VISA owned CyberSource, the largest business payment service provider in the US. Once submitted, we ourselves cannot even access your full payment information.
2. Are PMs a secure form of communication?
The Private Messaging system is intended as a method for two users to directly interact with each other. While we make a best effort to keep these conversations private, they should not be viewed as a secure communication. The PM system has never used SSL, the web's standard for secured and encrypted data transmission (usually indicated by the lock symbol in your browser's address bar). When utilizing any service on any website, one should never assume your communication is secure without this visible indication of data encryption and an explicit service declaration from the provider.
Our goal here at TexAgs is excellence in all the services we offer our customers. My apologies, again, for us missing that mark with this issue. We will learn from our mistakes, and we will do better.
Josh
As the Technology Officer for TexAgs, it is my responsibility that our services perform to their intent, and while TexAgs makes no guarantees about the secure nature of PM's, it is our intention that that be a closed conversation between two users. I apologize for us not upholding this intent.
As this issue came to light within our forums, two questions were presented that I believe should be addressed further.
1. Is my payment information secure?
TexAgs does not retain sensitive payment information within its servers. We utilize a payment processing service by VISA owned CyberSource, the largest business payment service provider in the US. Once submitted, we ourselves cannot even access your full payment information.
2. Are PMs a secure form of communication?
The Private Messaging system is intended as a method for two users to directly interact with each other. While we make a best effort to keep these conversations private, they should not be viewed as a secure communication. The PM system has never used SSL, the web's standard for secured and encrypted data transmission (usually indicated by the lock symbol in your browser's address bar). When utilizing any service on any website, one should never assume your communication is secure without this visible indication of data encryption and an explicit service declaration from the provider.
Our goal here at TexAgs is excellence in all the services we offer our customers. My apologies, again, for us missing that mark with this issue. We will learn from our mistakes, and we will do better.
Josh