Pub-dev: Sensitive pub.dev activity data exposed

Created on 21 Oct 2020  路  2Comments  路  Source: dart-lang/pub-dev

While creating a client to interact with pub API, I found an endpoint that I believe is exposing some sensitive pub.dev activity information to the public.

I will not list the endpoint here for obvious reasons. I am available through DM on a few channels like Twitter, or Flutter Study Group on slack, if this is not the right forum for this.

The current data exposed displays the following global events:

  • Member created
  • Publisher created
  • Member invited
  • Member removed
  • Probably others
{
      "id": "REDACTED",
      "package": null,
      "version": null,
      "timestamp": "REDACTED",
      "source": "account",
      "eventType": "memberJoined",
      "eventData": {
        "publisherId": "REDACTED",
        "userId": "REDACTED",
        "userEmail": "REDACTED",
        "role": "admin",
        "timestamp": "REDACTED"
      },
      "markdown": "REDACTED joined as member in role `admin`."
 }

Most helpful comment

I deployed a fix, before filed https://github.com/dart-lang/pub-dev/pull/4174

This should be fixed now, thanks for the report. For future reference private reports can be made through https://pub.dev/security or [email protected]

All 2 comments

I deployed a fix, before filed https://github.com/dart-lang/pub-dev/pull/4174

This should be fixed now, thanks for the report. For future reference private reports can be made through https://pub.dev/security or [email protected]

@jonasfj Great! Thanks for the fast response! I will make sure I send a communication through proper channels going forward.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Henry-Keys picture Henry-Keys  路  6Comments

vaind picture vaind  路  3Comments

zoechi picture zoechi  路  3Comments

eseidelGoogle picture eseidelGoogle  路  3Comments

yeradis picture yeradis  路  3Comments