We recently faced a minor security incident at the OpenBazaar GitHub repository. An attacker was able to briefly gain push access and make code changes that remained undetected for about one hour, by pretending to be a developer with contributor access who lost access to his normal account. The changes that the attacker made to the code were insignificant and were not related to security – they were mostly tests. Only the “develop” branch was affected, not the “master” branch. As our users run the “master” branch, we expect no users to be affected by this breach. We reverted the code changes immediately and access rights were restored. We don’t expect anyone to be affected by this attack. As a response to the attack, we are on the process of developing more rigorous security policies which would require proper authentication for committer username changes. Our new policies will also include operational security requirements for existing developers. In response to the attack and in coordination with GitHub, we have ensured that the accounts of the attacker have been appropriately banned. As part of our transparency commitment to our users, we are publishing this security incident so that people are aware of our potential problems and solutions. Our full incident response post-mortem report is made available for the community to read.

Do you want to help build this with us?

Download OpenBazaar right now to get buying or selling in minutes or join us on Github to contribute to the development of this open-source project!

Recent updates

Summer Stats and How To Get $10 in BTC for Your First Purchase on OpenBazaar
For those of us in the northern hemisphere, summer is waning - and we miss it already. We’ve had an excellent season so far with the release of some new features and seeing a pop of new users come in....
read more
The Beginner’s Guide to Buying Goods, Services and Cryptocurrency on OpenBazaar
Hello and welcome! We’re glad you want to buy goods, services and cryptocurrency on OpenBazaar.
read more
OpenBazaar Developer Call - August 2, 2018
This is a video recording of the OpenBazaar Developer call on August 2, 2018.
read more