LeafData Bug 5208

A flaw in LeafData is scrambling API keys for users on a daily basis - and has been for over four weeks. Every time a user would like to use LeafData, or to use their third-party software connection, they must reset their API key. For many this adds an additional 10-15 minutes of work every morning.

Cause Analysis

Both the LCB and LeafData are reluctant to share details about this issue. They've only said vague things like "it's related to the license file import" and "users are soft-deleted and manually fixed" They've confirmed the observation of third-parties: only affects licenses that have been moved, or sold or split. Of course, since we are working with 100s of farms we're also able to observe these issues first hand.

And it seems very simple.

In every case we've observed, the Contact/User(A) affected is one that was designated as an Admin level for License(B). Now, once the license is split, or changed owner, there is a new Admin level Contact/User(C). Contact(A) is now removed from License(B) (the soft-delete). However, Contact(A) is still the Admin of License(D) (the split one), or possibily becomes the new admin of License(E).

It sounds a little complicated, and it might be -- there is a many-to-many relationship here between Contact and License. Another design flaw of LeafData is how API keys are managed - they are specific to one Contact only. If the Contact is able to access multiple licenses, then the same key works for all. And if that same Contact is revoked from one license, but not another, then we see the key scrambled (ie: "soft delete").

Industry Impact

It's hard to get a full read on the impact -- neither LeafData or the LCB would share an accurate count of affected licensees. We are waiting on a FOIA Request.

Update November 12th

This issue is now six weeks old and continues to affect 100s of licensees.