From 70e650290b527ef6e28e8b2ef8f1aac998029839 Mon Sep 17 00:00:00 2001 From: Adam Harvey Date: Fri, 11 Apr 2025 12:37:58 -0700 Subject: [PATCH] Add today's crates.io security notice about session cookies. --- content/crates-io-security-session-cookies.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 content/crates-io-security-session-cookies.md diff --git a/content/crates-io-security-session-cookies.md b/content/crates-io-security-session-cookies.md new file mode 100644 index 000000000..a4a54ec23 --- /dev/null +++ b/content/crates-io-security-session-cookies.md @@ -0,0 +1,37 @@ ++++ +layout = "post" +date = 2025-04-11 +title = "crates.io security incident: improperly stored session cookies" +author = "Adam Harvey" +team = "the crates.io team " ++++ + +Today the crates.io team discovered that the contents of the `cargo_session` +cookie were being persisted to our error monitoring service, +[Sentry](https://sentry.io/welcome/), as part of event payloads sent when an +error occurs in the crates.io backend. The value of this cookie is a signed +value that identifies the currently logged in user, and therefore these cookie +values could be used to impersonate any logged in user. + +Sentry access is limited to a trusted subset of the crates.io team, Rust +infrastructure team, and the crates.io on-call rotation team, who already have +access to the production environment of crates.io. There is no evidence that +these values were ever accessed or used. + +Nevertheless, out of an abundance of caution, we have taken these actions +today: + +1. We have [merged and deployed a change to redact all cookie values from all + Sentry events](https://github.com/rust-lang/crates.io/pull/10991). +2. We have invalidated all logged in sessions, thus making the cookies stored + in Sentry useless. In effect, this means that every crates.io user has been + logged out of their browser session(s). + +Note that API tokens are **not** affected by this: they are transmitted using +the `Authorization` HTTP header, and were already properly redacted before +events were stored in Sentry. All existing API tokens will continue to work. + +We apologise for the inconvenience. If you have any further questions, please +contact us on +[Zulip](https://rust-lang.zulipchat.com/#narrow/stream/318791-t-crates-io) or +[GitHub](https://github.com/rust-lang/crates.io/discussions).