We would like to share more details about the events that occurred with Phrase between 09:50 AM CEST and 10:45 AM CEST on April 30, 2024, which led to degraded performance of the Translation Center component and what Phrase engineers are doing to prevent these issues from reoccurring.
09:40 AM CEST: Some internal framework configurations were updated and deployed. This activity is performed to allow our codebase to make use of up-to-date features and improvements provided by the underlying technology.
09:50 AM CEST: The internal exception monitoring tool started receiving events regarding failures to perform SSO. The source of this issue was quickly identified.
10:22 AM CEST: A patch to fix this problem (a broken redirection to the SSO page) was prepared and merged.
10:45 AM CEST: The fix was live in production and login via SSO is working as expected.
Among the updates that were originally deployed was one that is meant to enhance protection against open redirect attacks. This required the allowlisting of any external URLs to which a user can navigate from the Phrase Strings app. This included the “Login with SSO” page, which was missed.
The automated test suite will be updated to take into account all possible such instances (where a user can navigate to a different URL) and improve coverage wherever required.