Today the crates.io team discovered that the contents of the cargo_session cookie were being persisted to our error monitoring service, Sentry, as part of event payloads sent when an error occurs in the crates.io backend. The value of this cookie is a signed value that identifies the currently logged in user, and therefore these cookie values could be used to impersonate any logged in user. Sentry access is limited to a trusted subset of the crates.io team, Rust infrastructure team, and the crates.io on-call rotation team, who already have access to the production environment of crates.io. There is no evidence that these values were ever accessed or used. Nevertheless, out of an abundance of caution, we have taken these actions today: We have merged and deployed a change to redact all cookie values from all Sentry events.
We have invalidated all logged in sessions, thus making the cookies stored in Sentry useless. In effect, this means that every crates.io user has been logged out of their browser session(s). Note that API tokens are not affected by this: they are transmitted using the Authorization HTTP header, and were already properly redacted before events were stored in Sentry. All existing API tokens will continue to work. We apologise for the inconvenience. If you have any further questions, please contact us on Zulip or GitHub. Adam Harvey on behalf of the crates.io team Also published here Feature image: https://unsplash.com/photos/baked-cookies-ZS3OfU40CQU Today the crates.io team discovered that the contents of the cargo_session cookie were being persisted to our error monitoring service, Sentry , as part of event payloads sent when an error occurs in the crates.io backend. The value of this cookie is a signed value that identifies the currently logged in user, and therefore these cookie values could be used to impersonate any logged in user. cargo_session Sentry Sentry access is limited to a trusted subset of the crates.io team, Rust infrastructure team, and the crates.io on-call rotation team, who already have access to the production environment of crates.io. There is no evidence that these values were ever accessed or used. Nevertheless, out of an abundance of caution, we have taken these actions today: We have merged and deployed a change to redact all cookie values from all Sentry events. We have invalidated all logged in sessions, thus making the cookies stored in Sentry useless. In effect, this means that every crates.io user has been logged out of their browser session(s). We have merged and deployed a change to redact all cookie values from all Sentry events . merged and deployed a change to redact all cookie values from all Sentry events We have invalidated all logged in sessions, thus making the cookies stored in Sentry useless. In effect, this means that every crates.io user has been logged out of their browser session(s). Note that API tokens are not affected by this: they are transmitted using the Authorization HTTP header, and were already properly redacted before events were stored in Sentry. All existing API tokens will continue to work. not Authorization We apologise for the inconvenience. If you have any further questions, please contact us on Zulip or GitHub . Zulip GitHub Adam Harvey on behalf of the crates.io team Adam Harvey on behalf of the crates.io team the crates.io team the crates.io team Also published here Also published here here Feature image: https://unsplash.com/photos/baked-cookies-ZS3OfU40CQU Feature image: https://unsplash.com/photos/baked-cookies-ZS3OfU40CQU https://unsplash.com/photos/baked-cookies-ZS3OfU40CQU

Sentry

An Update on Rust's March Project Goals: What's the Progress So Far?

Read My Stories

Too Long; Didn't Read

Make resilience your competitive advantage

Improperly Stored Session Cookies - What the crates.io Team Is Doing to Fix It

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

All the Details and Changes That Came With Rust 1.82.0

10 Most Sought-After Programming Languages You Should Learn In 2021

The Noonification: How to Move Away From Twitter (12/15/2022)

The Noonification: The Wall of Death (12/26/2022)

6 Best Rust Programming Books Ranked by Reviews

All the Details and Changes That Came With Rust 1.82.0

10 Most Sought-After Programming Languages You Should Learn In 2021

The Noonification: How to Move Away From Twitter (12/15/2022)

The Noonification: The Wall of Death (12/26/2022)

6 Best Rust Programming Books Ranked by Reviews

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps