Following a security audit by Intuit as part of our certification as an approved Quickbooks Online add-on we made the following security enhancements to iBE.net

• Prevent anyone from calling the password API to reset to a new user supplied password without providing the old password. This was already a requirement in our app however on advice from Intuit we added this to our back-end API as well
• Checking of client-configured password policies in the back-end API as well as in the password reset user preference app. Similar to supplying old password, this will prevent a hacker from calling our password reset API directly (not via our app) bypassing any client configured password policies. We also default new clients signing up for iBE to require a number as well as upper/lower case letters in their users’ passwords
• Checking for a new password consisting of a word plus a number or one of the keywords which are not allowed (based on the client’s password policies) such as user name or security question response. Now we also prevent passwords which contain keywords which are not allowed with one letter only changed
• Remove of information from our server API response data which might be helpful to a hacker such as server-side software, version and cache settings
• Whilst iBE is and always was using fully encrypted https communication protocols we would not stop people from accessing using http not https urls. Now we redirect anyone accessing iBE using the less secure http automatically to https
• More aggressive termination or expiry of the user’s session token used to allow them to re-access iBE without re-entering their password if “remember me” was checked. There is no change to the functionality and convenience of “remember me” as this is an industry-wide feature, however we now invalidate their token after a shorter time and do not allow tokens to continue being used without an expiry date