This is how can I spoof ANY Sentry.Io log infinitely and create fake error-logs
Ok. First of all: I reported this on HackerOne, 45 days ago. 10 days after, someone filled a duplicate. And they said if I believe this is a security issue, I should report to Sentry.io. So, I did!
Why I still don’t accepted sentry answers, and, I hard believe that this is a security issue:
This vulnerability allows me to create infinitely error-logs, and spoof ANY DATA, title, description, tags, bug information, user, anything.
So, I can generate any log, any fake-error log, and I can cause to phishing sys-admins or the people who will read those logs.
I can also create fake error-logs, with fake id’s and titles, fake my ip, fake EVERYTHING. Every data. Without requests limit.
What is Sentry.Io?
Sentry.io is a software created to help people track their errors. But what is the use, if you can create fake error-logs, infinitely, with fake id’s?
Sentry.Io became useless. Just generate 10.000 fake reports with 50 different ip’s (I can do that in 5 minutes), and admins of system will believe and look for a error where don’t exist. And here, we can fish the fish. :]
What I did?:
I contacted them! And said the details about the error:
1 — My first point: Parameter “event_id” isn’t is required. If you don’t fill it, the system generates it automatically for you. They specified the 128bit’s identifier (uuid4), and said that wasn’t was a security issue. They said that is the way the service should work.
2 — I said that the noise logs can affect their customers. They said that it is not a security concern, and I’m just “causing an annoyance for a customer and generating some noisy logs”
3 — Ok, after I was tired of trying to explain, I showed that my point was useless data and phishing potential. They said that they “understand”, but it’s not a security concern. They can’t stop this. And they can use tools to stop abuse (I sent 20.000 fake error logs to HackerOne in 10 minutes, great tools.), and if you have access to the API key, you can’t prevent this. (That sounds comforting)
4 — My last try, was saying about the size of requests, which I can do requests of MB’s and… they said that their job is “Ingest data” and I “can’t hurt their service”. Even with the phishing potential.
What I did? Spoofed 100.000 error-logs to HackerOne with 1 IP Address within 10 minutes, with fake errors.
I’ll not say anything further. HackerOne said that I could share. And, i’m disclosing this because they said that this is not a security issue.
So, let’s fake error-logs and do phishing attacks, to prove them? (I’m just kidding, but I hope someone read this and fix it.)