ThinkUp v1.3.1Installation

ThinkUp Security and Data Privacy

The ThinkUp development team takes security and data privacy very seriously. This document describes what data ThinkUp stores, how it handles sensitive data, what security measures the application puts in place to protect that data, what you can do to keep your ThinkUp installation secure, and how to report potential security and privacy bugs in the software.

What Data ThinkUp Stores

ThinkUp does store:

  • ThinkUp user email addresses and encrypted ThinkUp account passwords
  • API keys to access social networks and other web services
  • Social network authorization (OAuth) keys
  • Public and private posts on social networks
  • Public and private user data on social networks

ThinkUp does not store:

  • Passwords to log into social networks
  • Direct messages or private messages on social networks

How ThinkUp Handles Sensitive Data

ThinkUp’s official distribution adheres to a set of rules and standards for handling sensitive data, such as:

Passwords

The only password that ThinkUp stores in its database is each user’s ThinkUp account password. This password is hashed (not stored in clear text). To prevent brute force attacks which attempt to guess this password, ThinkUp enforces a failed login attempt cap.

Social network credentials

ThinkUp and its core plugins do not store passwords to social networks like Facebook or Twitter. Instead, ThinkUp stores OAuth credentials to access these networks. This gives users the ability to revoke ThinkUp’s access to their data on the originating network’s settings.

Private post and user details

While ThinkUp collects private posts and data its authorized users have access to on the originating network, ThinkUp does not make those posts available to anyone not logged into ThinkUp.

Facebook data privacy levels: ThinkUp’s current Facebook support is a work in progress and Facebook’s access permissions system is complex. As such, ThinkUp marks all posts to a Facebook user’s profile private; ThinkUp marks all posts to a Facebook page as public. ThinkUp assumes all Facebook users are private.

Only plugins which adhere to these standards will be accepted into the official ThinkUp distribution.

Warning

If you install third-party plugins which are not included in the official ThinkUp distribution, you are taking the risk that they don’t adhere to these guidelines.

Security Measure ThinkUp’s Application Code Puts in Place

Currently ThinkUp’s application code enforces:

How to Secure Your ThinkUp Installation

Since users install ThinkUp on their own web servers, there are a number of security measures a ThinkUp administrator can take to secure the application and the data it stores.

The ThinkUp development team strongly urges all users to:

Run ThinkUp on a dedicated server. On a shared web server, other server users potentially can access PHP session files and ThinkUp’s configuration file, which contains your database username and password. Install ThinkUp on a dedicated (even if virtual) server to prevent unauthorized data access. Get more information about ThinkUp hosting providers.

Use an encrypted connection. Run ThinkUp on a web server with https/SSL or only access your ThinkUp installation through a VPN or secure proxy, so that no one can “sniff” your ThinkUp password when you log in.

Limit your MySQL user access to ONLY your ThinkUp database. Never use ‘root’ or a database user with unlimited access permissions to all your MySQL databases. Set up a ThinkUp-specific database user which can only access your ThinkUp database, not any others.

Make sure no ThinkUp files are writable except the ones required by the application.

Move ThinkUp’s data directory. By default ThinkUp’s writeable data directory is located in a web-accessible folder. Move that folder to a more secure location by setting its path in ThinkUp’s config file.

Use strong, unique passwords for your ThinkUp user account as well as all your social network accounts.

How to Report a Security Bug

If you find a security bug in ThinkUp, send an email with a descriptive subject line to thinkup-security[at]expertlabs.org. If you think you’ve found a serious vulnerability, please do not file a public issue or post to ThinkUp’s public mailing lists.

Your report will go to the core ThinkUp development team. You will receive acknowledgement of the report in 24-48 hours, and what our next steps will be to release a fix. If you don’t get a report acknowledgement in 48 hours, contact Gina Trapani or Anil Dash directly.

A working list of public, known security-related issues can be found in the issue tracker.

Thanks for your help.