Between Mar 23, 2023 8:20am MT and Mar 24, 2023 12:10pm MT, Spark users may have encountered an error when attempting to access certain pages related to HR, profile and tax receipt information. The issue was initially identified and raised through client success channels, and then was quickly escalated to the engineering team.
Investigation determined the cause to be the result of an unanticipated behaviour change related to a recent security update of a third party service. Benevity's Engineering team were able to develop and successfully test a software patch to accommodate the introduced behaviour change, which was then deployed through all of Benevity's environments. After deployment, access and functionality of the HR, profile, and tax information pages was restored for all Spark users.
During the incident, Spark users were unable to access certain pages related to HR, profile and, tax receipt information between Mar 23, 2023 8:20pm MT and Mar 24, 2023 12:10pm MT. There was no impact to user logins or donation flows, and all other pages were accessible.
As part of Benevity's commitment to security, all of our systems are updated and patched on a regular cadence to ensure they comply with, or exceed, the latest published security baselines.
A security update for a third party service, deployed on Mar 23, introduced a change in behaviour specific to site URLs with space characters, resulting in the HR, profile, and tax receipt information pages being inaccessible.
This update was made in accordance with our standard change management procedures, but the behaviour change it introduced was not caught in the automated test suite as URLs containing space characters is not a common pattern used throughout Spark and therefore not explicitly tested.