If an attacker installed a webhook on an team, and the team subsequently changed it's visibility from
public, the payload sent to the webhook to notify it of the visibility change could potentially have disclosed some information that the attacker shouldn't have had access to.
For paid accounts, this could have included some limited information related to the payment account for the team:
We audited the webhooks that existed at the time that this bug existed, and determined that there were not any configured that could have received additional unauthorized information about a team (other than the webhooks created by @theflofly to demonstrate the issue) That said, the potential severity of the issue was high and warranted an immediate fix.
6:49 Issue reported by @theflofly 13:49 Issue reproduced, began working on a fix 15:30 Issue resolved for all teams 16:01 Fix confirmed by @theflofly
13:56 Internal audit completed, bounty awarded
@danlec described the problem very well. Only the summary is disclosed because some data used in the report are my real data. You can find more details here.