Skip to content

Commit 8da8e87

Browse files
pietroalbinipietroalbini
authored
Merge pull request #1564 from LawnGnome/crate-session-key-thing
Add today's crates.io security notice about session cookies
2 parents 1cd61dd + 70e6502 commit 8da8e87

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

content/crates-io-security-session-cookies.md

+37
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
+++
2+
layout = "post"
3+
date = 2025-04-11
4+
title = "crates.io security incident: improperly stored session cookies"
5+
author = "Adam Harvey"
6+
team = "the crates.io team <https://www.rust-lang.org/governance/teams/crates-io>"
7+
+++
8+
9+
Today the crates.io team discovered that the contents of the `cargo_session`
10+
cookie were being persisted to our error monitoring service,
11+
[Sentry](https://sentry.io/welcome/), as part of event payloads sent when an
12+
error occurs in the crates.io backend. The value of this cookie is a signed
13+
value that identifies the currently logged in user, and therefore these cookie
14+
values could be used to impersonate any logged in user.
15+
16+
Sentry access is limited to a trusted subset of the crates.io team, Rust
17+
infrastructure team, and the crates.io on-call rotation team, who already have
18+
access to the production environment of crates.io. There is no evidence that
19+
these values were ever accessed or used.
20+
21+
Nevertheless, out of an abundance of caution, we have taken these actions
22+
today:
23+
24+
1. We have [merged and deployed a change to redact all cookie values from all
25+
Sentry events](https://github.com/rust-lang/crates.io/pull/10991).
26+
2. We have invalidated all logged in sessions, thus making the cookies stored
27+
in Sentry useless. In effect, this means that every crates.io user has been
28+
logged out of their browser session(s).
29+
30+
Note that API tokens are **not** affected by this: they are transmitted using
31+
the `Authorization` HTTP header, and were already properly redacted before
32+
events were stored in Sentry. All existing API tokens will continue to work.
33+
34+
We apologise for the inconvenience. If you have any further questions, please
35+
contact us on
36+
[Zulip](https://rust-lang.zulipchat.com/#narrow/stream/318791-t-crates-io) or
37+
[GitHub](https://github.com/rust-lang/crates.io/discussions).

0 commit comments

Comments
 (0)