The crates.io team found that the cargo_session cookie, which identifies logged-in users, was being included in error reports sent to Sentry. Although thereâs no evidence of unauthorized access to these values, the team took preemptive measures to secure user accounts. They redacted cookie values from Sentry events and invalidated all logged-in sessions, effectively signing users out. This decision aims to mitigate any potential security risks while ensuring API tokens remain unaffected.
The contents of the cargo_session cookie were inadvertently sent to our error monitoring service, Sentry, potentially allowing impersonation of logged-in users.
Out of an abundance of caution, we have merged and deployed a change to redact all cookie values from Sentry events and invalidated all logged-in sessions.
Collection
[
|
...
]