Security Incident Status

TinyBox VPS - November 2025

Critical Issues Resolved Last Updated: 2025-11-14 01:15 CET | Version 1.1.5

Incident Summary

On November 9, 2025, security researcher Antoni Mróz initially disclosed multiple security vulnerabilities in TinyBox VPS infrastructure. We immediately initiated remediation and completed critical fixes within 24 hours.

Disclosure Dates
Nov 9: Initial disclosure
Nov 11: Additional scope confirmed
Remediation
Completed November 12, 2025
Status
All Critical Issues Resolved

What Happened

Vulnerability Disclosure

Security researcher discovered and responsibly disclosed multiple security vulnerabilities affecting TinyBox VPS infrastructure. Six customer data records (names, email addresses) from uczmnie.pl payment transactions were exposed through TinyBox logging, but the uczmnie.pl platform itself was not affected.

Issues Identified

  • Exposed .git directories in production (source code accessible)
  • Hardcoded credentials in git history (AWS SES, database passwords, API keys)
  • Personal customer data in git commit history (webhook logs)
  • Insufficient authentication on certain API endpoints
  • Inadequate rate limiting and access controls

Root Cause

During rapid development phase, AI-assisted code generation (Cursor and Claude Code) proceeded without adequate human security review. Debug logging and development practices were incorrectly carried into production environment. Git repository hygiene was insufficient (.gitignore not configured properly, sensitive files committed).

Personal Data Affected

GDPR Personal Data Breach

Between June 12-13, 2025, webhook logs containing customer personal data were accidentally committed to a private git repository.

Affected Individuals

Several individuals from TinyBox and related platforms were affected. All affected individuals were notified privately via email with detailed information about the incident and recommended security measures.

Note: Specific counts and detailed breakdowns have been removed from this public disclosure to protect individual privacy. Affected parties received personalized notifications.

Data Categories Potentially Exposed

The unauthorized access potentially exposed various types of customer information including:

  • • Account credentials and authentication information
  • • Personal identification data
  • • Contact information
  • • Transaction and billing details
  • • Service configuration information

✓ Mitigation: All affected accounts were reviewed, credentials were reset, and enhanced security measures were implemented. Log analysis confirmed the extent of access, and no evidence of data exfiltration beyond source code repository access was found.

Limited Exposure Factors

  • ✓ Access limited to 3 individuals (2 developers + security researcher)
  • ✓ Security researcher acted ethically (responsible disclosure)
  • ✓ NO evidence of malicious access or data misuse

Immediate Actions Taken (24 Hours)

Secured .git directories: Blocked web access to all .git directories via Apache configuration
Rotated all credentials: Replaced AWS SES tokens, database passwords, API keys, and all exposed secrets
Cleaned git history: Used BFG Repo-Cleaner to permanently remove PII from all git commit history
Deleted exposed files: Removed all log files containing personal data from production server
Strengthened authentication: Implemented proper API authentication and rate limiting
Protected sensitive files: Added .htaccess rules to block access to .md, .txt, .pem, .key, .sh files
Revoked exposed download link: Disabled active ebook download URL found in logs
Comprehensive security audit: Reviewed all repositories and server configurations for additional vulnerabilities

Complete Timeline of Events

All times are in Central European Time (CET)

Attribution Note: Timeline entries reflect current status of the investigative correlation. Some scanning activity may represent automated reconnaissance not directly associated with the disclosure.

November 8, 2025 (Saturday)

Throughout day
Reconnaissance activity: Exposed .git directory probing on tinybox.sh, panel.tinybox.sh, and wiki.tinybox.sh
22:20-23:30
Source code download: Panel repository .git directory successfully accessed via HTTP (133 files downloaded including git config, index, objects, and commit history)
02:20
Researcher triggers error page disclosure, exposing system paths and configuration details
Throughout day
Researcher analyzes downloaded source code and discovers hardcoded database credentials in git commit history

November 9, 2025 (Sunday)

00:48
Researcher sends initial vulnerability disclosure email to TinyBox co-founder (Jakub Mrugalski)
07:29-07:30
Researcher triggers additional error pages to verify vulnerabilities
09:03
TinyBox team (Mateusz & Jakub) receives disclosure email and initiates emergency incident response
09:04-10:43
TinyBox team implements emergency fixes: blocks .git access, rotates database passwords, AWS credentials, and API keys
10:43
TinyBox team completes initial security patches - .git directories blocked via .htaccess, all credentials rotated

November 10, 2025 (Monday)

09:15
TinyBox team (Jakub) implements additional access controls: Protected all hidden files and directories from web access via enhanced .htaccess rules
12:18-14:41
Database testing activity via apiDB.php tool (26 HTTP requests logged with various SQL queries)
13:26
Researcher creates legitimate customer account and purchases VPS instance (alex129, server_id: 37)
13:49-15:00
Researcher tests TinyBox control panel functionality using his own VPS instance
14:34-14:41
Researcher attempts to test magic link authentication tokens ("pwned", "pwnedamroz", "pwnedbyamroz")

November 11, 2025 (Tuesday)

22:50
Publication notice: Informed that researcher plans to publish article; additional post-disclosure activity detected
22:51
TinyBox team initiates "war room" emergency session to conduct comprehensive forensic analysis and assess full scope of data exposure

November 12, 2025 (Wednesday)

01:21
TinyBox team performs precautionary password reset for all VPS customers (1 production customer + researcher + test accounts)
01:27
TinyBox team deploys security.txt (RFC 9116) with PGP key for future vulnerability disclosures ([email protected])
01:37
TinyBox team sends individual GDPR notification email to affected TinyBox VPS customer
01:50
TinyBox team removes unimplemented "500+ happy customers" placeholder claim from tinybox.sh landing page
02:11
TinyBox team completes database password rotation across all systems (27-second service interruption)
02:40
TinyBox team enables Cloudflare Authenticated Origin Pull with certificate validation to block direct-to-server attacks
02:47
TinyBox team activates enhanced Cloudflare WAF rules with stricter filtering
02:58
TinyBox team completes vulnerability retesting - confirms full exploit chain is broken
09:30
Researcher publishes detailed security analysis article on Zaufana Trzecia Strona
09:48
TinyBox team (Jakub) implements API authentication for domainsAPI endpoint with request method and header validation
04:19
TinyBox team (Mateusz) sends GDPR Article 34 breach notifications to 1 TinyBox user and 6 Uczmnie users. Rest were friends & family & testers.
12:02
TinyBox team publishes public incident transparency page at https://tinybox.sh/status.php
13:29
TinyBox team requests Zaufana Trzecia Strona to add link to status page in article for ongoing updates
15:06
Zaufana Trzecia Strona updates article to include TinyBox comment and removes allegations that mikr.us platform was impacted
16:20
TinyBox team (Jakub) enhances apiDB.php security: Added POST-only enforcement and rotated authentication credentials
21:58
TinyBox team decides to suspend the possibility to purchase new VPS instances until the security incident is fully concluded

November 13, 2025 (Thursday)

02:23
TinyBox team (Jakub) strengthens wiki security controls with enhanced .htaccess protections
03:02
TinyBox team conducts internal penetration test, identifying additional security hardening opportunities. While none of the findings represent direct exploitability, they will be systematically addressed as part of ongoing incident remediation efforts
09:30-10:00
TinyBox team implements automated secret detection: GitHub Actions workflows with Gitleaks deployed across all three repositories (panel, landing, wiki). Scans for AWS keys, Stripe keys, passwords, API tokens, PII, and incident data on every commit
10:30-11:00
TinyBox team deploys PII-safe logging system: Enhanced sanitizeLogData() function to protect 40+ sensitive fields (emails, names, phone numbers, addresses, payment data, auth tokens). All customer emails now hashed in logs (***[8-char SHA256]***) for GDPR compliance while maintaining debug capability
11:00-18:00
TinyBox team implements additional system hardening from security audit: session timeout enforcement, comprehensive audit logging, rate limiting, secure error handling, API response sanitization, and dependency updates

November 14, 2025 (Friday)

00:27
TinyBox team files GDPR Article 33 data breach notification with UODO (Polish Data Protection Authority), completing regulatory compliance requirements within 72-hour deadline

Ongoing Security Improvements

Customer and Regulatory Notifications

Individual GDPR-compliant notifications sent to all 8 affected customers (Article 34). Data breach notification filed with UODO (Polish Data Protection Authority) per Article 33 requirements (72-hour deadline). ✓ Completed: November 14, 2025

GitHub Actions Secret Detection

Implemented automated secret detection using GitHub Actions and Gitleaks across all three repositories. Scans for PII, credentials, API keys, and prevents commits containing sensitive data or incident directories. ✓ Completed: November 13, 2025

PII-Safe Logging Implementation

Redesigned webhook and application logging with GDPR-compliant PII protection. All customer emails and sensitive data now hashed in logs using SHA-256 (***[8-char hash]***). Enhanced sanitizeLogData() to protect 40+ sensitive fields. ✓ Completed: November 13, 2025

CORS Configuration Hardening

Enhanced Cross-Origin Resource Sharing (CORS) security for API endpoints with stricter preflight caching and proper HTTP status codes. Based on security audit recommendations. ✓ Completed: November 13, 2025

Security Headers Implementation

Added comprehensive security headers (X-Frame-Options, CSP, X-Content-Type-Options, HSTS) to API endpoints for defense-in-depth protection against clickjacking and XSS attacks. Based on security audit findings. ✓ Completed: November 13, 2025

File Enumeration Prevention

Modified wiki .htaccess to return 404 instead of 403 for sensitive files, preventing attackers from enumerating which files exist on the server. Based on security audit recommendations. ✓ Completed: November 13, 2025

Input Validation Enhancement

Implemented strict input validation and sanitization for newsletter API parameters with whitelisting, length limits, and character filtering to prevent injection attacks. Based on security audit findings. ✓ Completed: November 13, 2025

Session Timeout Enforcement

Implemented dual-layer session timeout protection: 24-hour absolute timeout and 30-minute idle timeout. Sessions now automatically expire to prevent unauthorized access from abandoned sessions. ✓ Completed: November 13, 2025

Comprehensive Audit Logging System

Deployed complete audit logging infrastructure tracking all security-relevant events (authentication, session management, server actions, domain operations) with GDPR-compliant PII sanitization. Enables forensic analysis and compliance reporting. ✓ Completed: November 13, 2025

Rate Limiting for Authentication

Implemented rate limiting for magic link requests to prevent abuse and brute force attacks. Uses fail-open design to maintain availability during database outages. ✓ Completed: November 13, 2025

Information Disclosure Prevention

Implemented centralized error handling that prevents sensitive information leakage. User-facing error messages are now generic and safe, while detailed errors are logged server-side with unique tracking IDs. ✓ Completed: November 13, 2025

API Response Sanitization

Added field-level sanitization to all API endpoints using whitelist/blacklist approach. Prevents accidental exposure of internal IDs, authentication tokens, infrastructure details, and sensitive metadata. ✓ Completed: November 13, 2025

Security Dependency Updates

Updated error monitoring dependencies for security and performance improvements. Ensures continued security monitoring with latest patches and enhancements. ✓ Completed: November 13, 2025

Customer Impact & Guidance

If You Made a Purchase on Uczmnie.pl

You will receive an individual email notification with specific details about what data of yours was affected and recommended actions. If you believe you were affected but have not received notification, please contact us.

Recommended Actions:

  • • Monitor your email for potential phishing attempts mentioning your purchase
  • • If physical address was exposed: be cautious of unexpected mail or packages
  • • Watch for suspicious activity on accounts associated with your email
  • • Contact us immediately if you notice anything unusual

For All TinyBox VPS Customers

Good news: TinyBox VPS customer data (VPS credentials, SSH keys, server data) was NOT exposed in this incident.

Proactive Security Measures Taken:

  • • All database passwords rotated (November 12)
  • • API access credentials regenerated
  • • Server access logs reviewed for suspicious activity: none found
  • • No evidence of unauthorized VPS access

Recommendation: As a precaution, consider rotating SSH keys on your VPS instances. (Note: TinyBox panel uses magic link authentication, so there is no panel password to change.)

Your GDPR Rights

Under GDPR, you have the right to:

  • • Access your personal data (Article 15)
  • • Rectify inaccurate data (Article 16)
  • • Request data deletion (Article 17)
  • • Restrict processing (Article 18)
  • • Data portability (Article 20)
  • • Lodge a complaint with supervisory authority (UODO)
Polish Data Protection Authority (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Phone: +48 22 531 03 00
Email: [email protected]
Website: https://uodo.gov.pl

Lessons Learned & Accountability

This incident exposed critical weaknesses in our development and security practices. We take full responsibility and are committed to learning from these mistakes.

What Went Wrong:

  • AI code generation without security oversight: Claude Code generated functional code rapidly, but without proper human security review, critical vulnerabilities were introduced.
  • Development practices in production: Debug logging, hardcoded credentials, and insufficient access controls—acceptable in development—should never have reached production.
  • Inadequate git hygiene: No .gitignore configuration from day one led to sensitive files being committed. Once in git history, data persists even after deletion.
  • Blurred development/production boundaries: Service was marketed while still in active development phase, creating confusion about expected security standards.

Key Takeaways:

  • AI is a tool, not a replacement: AI-assisted development must be paired with rigorous human review, especially for security-critical systems.
  • Security from day one: Security cannot be "added later." It must be built into architecture, development process, and team culture from the start.
  • Git never forgets: Once data enters git history, it's permanent unless explicitly removed with history rewriting. Prevention is vastly easier than remediation.
  • Production is production: If customers use it, it's production. "Development phase" is not an excuse for inadequate security.
  • Transparency builds trust: Responsible disclosure and transparent communication can transform an incident into a trust-building opportunity.

Acknowledgment & Thanks

We extend our sincere thanks to Antoni Mróz for his responsible disclosure of these vulnerabilities.

His ethical approach—privately notifying us before publishing, allowing time for remediation, and providing detailed technical information—exemplifies responsible security research. Thanks to his professionalism, we were able to address these issues before any malicious exploitation occurred.

We welcome security research. If you discover a security vulnerability in our systems, please report it to [email protected]. We are committed to working with security researchers to protect our customers.

Contact & Questions

We are committed to transparency and open communication during this incident response. If you have questions or concerns, please reach out:

Security Questions

[email protected]

For security-related inquiries, vulnerability reports, or technical questions about this incident.

Customer Support

[email protected]

For general customer support, account questions, or service inquiries.

Report a Security Vulnerability

We welcome responsible disclosure from the security community. If you discover a security issue, please email [email protected] with details. We commit to:

  • • Acknowledging your report within 24 hours
  • • Providing regular updates on remediation progress
  • • Publicly crediting you (if desired) after resolution
  • • Never pursuing legal action against good-faith security research
Technical Details (For Technical Audience)

Vulnerability CWE References:

  • CWE-527: Exposure of Version-Control Repository to an Unauthorized Control Sphere (exposed .git directories on panel.tinybox.sh)
  • CWE-798: Use of Hard-coded Credentials (database credentials in git commit history)
  • CWE-532: Insertion of Sensitive Information into Log File (customer PII in post.log committed to git history)
  • CWE-489: Active Debug Code (apiDB.php database access tool left in production)

Remediation Technical Details:

  • Apache .htaccess: Added appropriate rewrite rules
  • Git history cleanup: BFG Repo-Cleaner 1.14.0 - rewrote 72 commits, changed 125 objects, removed post.log from all history (initial commit: 0b3e28e → 4605e0f)
  • Credential rotation: AWS SES SMTP credentials regenerated, MySQL passwords rotated (32-char random), internal API keys regenerated
  • Cloudflare security: Authenticated Origin Pull (certificate-based), enhanced WAF rules, rate limiting
  • Debug tool removal: apiDB.php removed from production servers

PII Remediation Process:

File post.log containing customer webhook data:

  • Committed: June 12, 2025 (commit 0b3e28e)
  • Deleted from working tree: June 13, 2025 (commit b311a52)
  • Remained in git history: June 13 - November 12, 2025 (~5 months)
  • Permanently removed: November 12, 2025 (BFG + git gc --aggressive)
  • Force pushed to GitHub: November 12, 2025
  • Production server git history cleaned: November 12, 2025

Verification Commands:

# Verify .git not accessible
curl -I https://tinybox.sh/.git/
# Expected: 403 Forbidden

# Verify post.log not in current repo
git log --all --full-history -- post.log
# Expected: (empty)

# Verify old commit not accessible
git show 0b3e28e:post.log
# Expected: fatal: invalid object name

Incident Reference: INC-2025-11-12-PII-GIT-EXPOSURE
Last Updated: 2025-11-14 01:15 CET | Version: 1.1.5
Status: Critical issues resolved, ongoing improvements in progress

← Back to TinyBox VPS