Resolved
Security incident regarding webhook metadata in Linear's GraphQL API

Started
March 30, 2022 at 1:37 PM
Status
Resolved after less than a minute

Impact

Operational
Affected
Integrations
API
  • Resolved
    March 30, 2022 at 1:37 PM

    On March 29th we were alerted about exposed 3rd-party data in our GraphQL API. The data in particular exposed metadata about webhooks to other workspaces in the API. As a result, the URL address of the webhook, the webhook creator's name and email, and the workspace name and URL were queryable in the API outside your workspace. No other information on sensitive areas, such as issues or team members, was exposed.

    Once alerted we quickly fixed the bug that caused this issue and proceeded to examine usage of the particular exposed GraphQL query which was identified to be broken for 7 months. Based on our investigation we didn’t find any indication that the query was accessed with the exception of the party who reported the issue.

    Out of caution, we recommend rotating your webhook URL in the case you consider it private. We also recommend always restricting webhook access to only Linear's IP addresses (35.231.147.226 and 35.243.134.228).

    We're looking into solutions to further prevent similar issues happening in the future. We take customer privacy and security extremely seriously at Linear and apologize for the situation.

    If you have any questions, please don't hesitate to contact us at hello@linear.app