Last Wednesday, a security researcher working under our bug bounty program found a way that they could access one account’s file storage from another by using the “Dirty Pipe” Linux kernel vulnerability. We put a mitigation system in place to stop that from happening, and then on Thursday we were able to patch the underlying issue. On Friday, another researcher found a similar issue, which the mitigation system we’d put in place originally made relatively harmless – we were able to patch that one within minutes.
It’s important to note that the credit card numbers and PayPal information used to pay for PythonAnywhere accounts were not at risk from these issues; that data is stored on completely different servers, and is not accessible even to us.
From our initial analysis, we have no indication that anyone else was able to use these vulnerabilities. It seems to us that this is a case where our bug bounty program worked just as it should, with security researchers telling us about problems before malicious actors were able to exploit them. However, we’re conducting further in-depth investigations to see if there is any evidence of other people using them, and we will let you know if we discover anything.
In the meantime, as a precaution and because it’s a good practice in such circumstances, we recommend that you rotate any private keys, API tokens, or passwords that you store in your PythonAnywhere account.