Reports released today by Duo (third party link) show there are multiple vulnerabilities in SAML via the XML layer that could potentially be exploited to allow unauthenticated users access to a service like Teamable (in cases where customers are using SAML, e.g. OneLogin or Okta).
Okta also released a note (third party link) detailing how this exploit impacts those using the Okta service.
At Teamable, the security of your account and data is of paramount importance.
We have completed a rigorous review and have made the following impact assessment:
Okta customers are not impacted as the service we rely on, pysaml2, is not affected by this vulnerability.
For OneLogin customers, we have upgraded to python-saml v2.4.0 to patch for the vulnerability.
Q: Why can I no longer connect Facebook?
A: Facebook changed the rules of the API that we are using.
Facebook deprecated the API point (https://developers.facebook.com/docs/graph-api/reference/user/taggable_friends/) that we were using because of the widely publicized Cambridge Analyitca's use of the Facebook API. Our engineering team is working on potential solutions, but given the timing and Facebook's recent issues, there is no reasonable solution that we can provide at this point.
In the interim, we have disabled the option to connect your Facebook in Teamable. This has no impact on anyone who has previously shared their Facebook connections for the purposes of warm referral recruiting at their company. If you wish to remove your Facebook connections from your Teamable account, please contact Teamable Customer Support.
We remain committed to reintroducing Facebook as a network connection as soon as we're able to.
If you've encountered a problem and you need some help, please email email@example.com. This helps us to triage issues and make sure we don't miss anything important.