Transitive Closure in PostgreSQL
At Remind we operate one of the largest communication tools for education in the United States and Canada. We have...
At Remind, we help educators communicate with millions of students and families. These connections are critical for supporting student learning, especially with school closures this year, and it’s equally important for all of the communications on our platform to be secure, protected, and reliably delivered. As part of our security stance, we engage the security researcher community via a bug bounty program—which is how a recent collaboration with a researcher helped us identify improvements to user safety while maintaining the essential content-sharing function of our platform.
First, some background: Along with messages, the Remind platform allows users to share content—like assignments, flyers, newsletters and other materials and resources—in their classes, schools, and districts. Files are uploaded to Remind and stored in Amazon S3 and served via our Amazon Cloudfront CDN, as is practice for many other companies.
But unlike other platforms, a significant percentage of Remind users only receive content via SMS text notifications. To make sure that students and families could access this content directly from their text messages, especially if they had limited data or couldn’t download our app, we made the decision many years ago to make files publicly accessible in an approach generally similar to the one used by a number of social networking applications: Files were obscured behind a randomly-generated UUID but could otherwise be accessed by anyone with the relevant UUID.
Recently, we received a researcher submission challenging the security of our content-sharing implementation. As a result of the researcher’s report and the improvements we made, content distributed via Remind’s content delivery network (CDN) is now signed and automatically expires after 7 days; our S3 bucket is also now private, preventing random access. These enhancements prevent brute-force attacks on our S3 bucket aimed at discovering content UUIDs and further protect these UUIDs against leaks. Read more about the researcher’s findings here.
There’s one tip we found particularly helpful that we also want to share here: When using Cloudfront content signing, the URL is deterministic with regards to the expiration. In order to have more stable URLs, which will enable better caching behavior, we chose to have all URLs expire in seven days at midnight. Each 24-hour period, all URLs generated for a particular resource will be stable.
We’d like to express our thanks to Craig Barretto and Proack Security for their responsible disclosure, as well as for their additional efforts in assisting us with identifying appropriate improvements without harming usability. Thank you for helping us make Remind more secure.