Between ~10:05am PST to 10:35am PST March 16th 2021 some users in a Jump Desktop Team were able to attempt connections to all computers on their Team. Being able to attempt a connection to a computer does not mean that the user was able to log into the computer. Jump Desktop Connect's security design requires users authenticate locally with the computer before it allows the incoming connection to proceed. Users would have needed to enter local credentials ('Mac Credentials' or 'Windows Credentials' dialog prompt) before they were allowed to log into to the computer.
The issue has been resolved
The issue lasted between ~10:05am to 10:35am PST and it affected approximately 25% of users logged in at that time (see timeline below).
Important Note: Existing connections to machines made during ~10:05am - 10:35am PST would not have been automatically disconnected.
Was I impacted by this?
If you are a Jump Desktop for Teams user and your team users were logged into the Jump Desktop client app between ~10:05am to 10:35am PST, you may have been impacted. Users in your Team may have been able to attempt connections to team machines they would not normally have access to. Users would still have to authenticate locally with the machine to be able to complete the connection.
Recommended steps for affected users:
a. Review computer connection logs to make sure there were no unauthorized connections to your team's computer between 10:00am to 10:40am PST on March 16th 2021:
- Team administrators should visit the Team's dashboard: https://app.jumpdesktop.com - your Team - Computers and review the connection history for your computers during this time.
- Jump Desktop Connect also stores logs locally on the host computer for all incoming connection attempts:
- Windows: Check the Event Viewer app in the 'Applications' logs.
- Mac: /Library/Logs/Jump Desktop/access.log
b. Ensure local computer accounts are not shared between users on your team. Jump Desktop Connect requires all incoming connection attempts to authenticate locally before allowing the connection through.
How do I remove avatars of computers I do not have access to?
Users who were logged in during the impacted time may see offline / inaccessible computers icons. They can not connect to these computers. You can delete the computers on the client app and restart Jump to see only the computers that are accessible to you. On a Mac, deleting the Servers directory (~/Documents/JumpDesktop/Viewer/Servers) would also reset the server list. Note: You will lose any per-computer settings on the client.
What we're doing to address this:
- We will be increasing retention of Computer Connection History logs for all Team users in the next few days.
- We are currently analyzing the potential impact and will contact customers individually if required. We have directly contacted customers who may have been affected by this issue.
- At ~10:05am PST March 16th 2021 a new round of deployment to our cloud servers was started. This deployment had a bug that allowed Teams users to initiate connections to all online computers in their own team. Users could initiate a connection to computers but they would still need to authenticate locally with the computer before connecting.
- During 10:05am ~ 10:19am, a small fraction of the incoming traffic (<3%) was switched over to the new deployment.
- Between ~10:20am - 10:35am PST we switched over approximately 25% traffic to the new cloud deployment. Anyone who connected to the new deployment would have experienced this issue.
- At ~10:35am PST the issue was detected and the new deployment was pulled which resolved the issue.
For more information please contact: firstname.lastname@example.org .