Dear SecureDrop translation community,
Due to a misconfiguration of our self-hosted instance of Weblate, we would like to inform you at a password reset will be required before you log in.
- If you use your email address and password to login, you can request a password reset using this form.
- If you are using GitHub to login, login as usual, but note that you will need to grant permission to use your GitHub account upon login, even if you have done this before.
- If you were using an API token for any integrations, you will need to regenerate it in your account profile under the ‘API access’ tab.
If you are having difficulty with this process, please do not hesitate to contact us directly at weblate-support@freedom.press.
Please note that you will not be able to log into Weblate until you have taken either of the steps above.
As background, an independent security researcher noticed that it was possible to log into Weblate as an administrator using default credentials. We immediately addressed the issue after it was reported to us, and we have found no evidence in our logs that any additional third parties have gained access to Weblate. While passwords were not exposed, we reset all passwords out of an abundance of caution. This misconfiguration has no direct security implications for SecureDrop itself.
As a precaution, we have reset all login credentials. For more background on this misconfiguration, please see our security disclosure.
During this maintenance window, we have also upgraded the version of Weblate from 3.7.1 to 3.10.3. You can find information about the changes in the Weblate changelog.
As part of our due diligence in this matter, we will conduct some additional checks on existing translations. Your continued attention and help in translating and reviewing both new and existing translations is always appreciated.
We apologize for the error, and for the inconvenience. Thank you for your help translating SecureDrop!