Productivity platform ClickUp disclosed a configuration oversight that exposed the personal information of 893 customers when client-side feature flag configurations became publicly queryable. The incident also revealed a live API token embedded in a flag configuration that remained active for months due to reporting and triage failures, and ClickUp has since removed the exposed emails, invalidated the token, and committed to automated scanning to prevent PII or credentials in flag configs #ClickUp #SplitIO
Keypoints
- 893 customer email addresses were exposed through publicly queryable feature flag configurations.
- A live API token for one workspace was accidentally placed in a flag and remained active for months before invalidation.
- ClickUp used Split.io client-side SDK keys and targeted customer emails in flag rules, making the data discoverable by design.
- A researcher report to HackerOne was mis-triaged as a duplicate and escalation attempts were blocked by spam filters, delaying remediation.
- ClickUp removed the exposed emails, invalidated the token, and plans to implement automated scanning to block PII or credential patterns in flags.
Read More: https://securityonline.info/clickup-feature-flag-data-exposure-api-token-breach/