Now the crates team discovered that the contents of cargo_session Cookie is forced into our error tracking service, Sentry, as part of the event payloads sent when an error occurred in the Crates.io backend. The amount of this cookie is an already -signed amount that identifies the current logging in to the user, and therefore these cookie amounts can be used to introduce anything that is log in to the user.
Sentry Access is limited to a reliable subset of the Crates.io team, rust infrastructure team, and the crates rotation team, who already has access to the crates.io production environment. There is no evidence that these values are accessible or used.
However, because of a lot of caution, we have taken these actions today:
- We combined and sent a change to rebuild all cookie values from all Sentry events.
- We have validated all the flies in sessions, thus making the cookies stored in Sentry useless. In its validity, this means that every user of the crates.io is logged out of their browser (s).
Remember that api tokens are No. This is affected: they are sent using the Authorization HUPTER HEADER, AND PERFECTED TRUE BEFORE Events are stored in SENTRY. All existing API tokens will continue to work.
We apologize for the inconvenience. If you have additional questions, please contact us with Zulip or GitHub.
Adam Harvey on behalf of
Have also published here
Picture feature:
