Sentry: user registration should be disabled by default

Created on 24 Jun 2017  路  9Comments  路  Source: getsentry/sentry

I was notified by a white hat "hacker" today about my completely open Sentry instance (anyone can register and access projects). Clearly an oversight on my part, but it would be good to see some info/warnings about this in the docs or to disable registration altogether in the default settings.

I really a doubt that a typical Sentry admin wants anyone on the internet to be able to get instant access to bits of their source code, passwords, and other sensitive data. Those that do want this kind of access should be the ones who tweak the settings and explicitly allow it.

When coming up with defaults, it's almost always better to go for _more_ security, not less. I'm wondering how many other open instances are running out there and already getting exploited.

picture alexandervlpl
👍361

Most helpful comment

Same here, luckely enough the guy who sent the email created a blog post on his homepage where he shows how he did this + how to disable the login

https://julian-uphoff.de/2017/06/24/how-i-found-your-sentry-instance-and-how-to-disable-user-registration/

picture xNevo on 24 Jun 2017
👍14

All 9 comments

I was received a mail from white hat today, facing on the same situation too.

shiny picture shiny on 24 Jun 2017

Same here, luckely enough the guy who sent the email created a blog post on his homepage where he shows how he did this + how to disable the login

https://julian-uphoff.de/2017/06/24/how-i-found-your-sentry-instance-and-how-to-disable-user-registration/

xNevo picture xNevo on 24 Jun 2017
👍14

White hat?.. Just a typical blackhat, who got maximum of what he could from e-mail exposure vulnerability :-/.

The sentry shouldn't be used in way how we (all, who got the message) use it. Don't allow access from Internet to it. I'm going to fix it for my sentry instance ASAP.

ei-grad picture ei-grad on 27 Jun 2017
👎4

We strongly encourage customers to firewall off Sentry (as well as any other internal service), as there's generally no reason to expose it to the internet. Additionally, if compliance isn't a concern for you, you should take a look at our cloud option as we take care of these security concerns for you (and we're generally cheaper than running it yourself).

dcramer picture dcramer on 27 Jun 2017

@dcramer That's not entirely true, for instance logging exceptions from JavaScript (frontend) applications or other platforms where code runs remotely, not on your network. You could put Sentry behind a WAF or otherwise and restrict all routes except the DSN URLs you need.

themainframe picture themainframe on 29 Jun 2017
👍1

@ei-grad that is a cheap shot at those who are trying to do the right thing. There definitely are white hats in the industry.

wmealing picture wmealing on 2 Jul 2017
👍4

@wmealing unauthorized access to publicly exposed private services is actually a crime in some countries. Don't say "white hat" if you don't know what the responsible disclosure is.

ei-grad picture ei-grad on 2 Jul 2017

I don't get your attitude. You'd rather just go on blissfully not knowing that you have a security problem? No. Sounds to me like your boss got one of his emails and chewed you out for dropping the ball on security so now you're butthurt.

themainframe picture themainframe on 2 Jul 2017

I am just going to close and lock this issue since conversation has derailed. The next release will have this configurable in the UI.

mattrobenolt picture mattrobenolt on 2 Jul 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

chavlin picture chavlin  路  3Comments
jiankunking picture jiankunking  路  3Comments
bruno-garcia picture bruno-garcia  路  3Comments
sul4bh picture sul4bh  路  3Comments
dmnd picture dmnd  路  4Comments