Admin email address leak

[LionelVallet]

Self-Hosted Version

23.7.1

CPU Architecture

x86_64

Docker Version

24.0.5

Docker Compose Version

2.20.2

Steps to Reproduce

Create an admin account on a newly deployed instance with a new unique and dedicated email.

Expected Result

Never receive phishing nor spam

Actual Result

I received a phishing attack on an email address created and dedicated for this purpose a few weeks after deployment. The email address is impossible to guess, contains the word "sentry", was never used anywhere else.

Event ID

No response

[LionelVallet]

[LionelVallet]

Does this email address leave my server? Is it sent to Sentry for marketing purpose? Does Sentry or one of its subcontractors have a data leak?

[hubertdeng123]

Is your self-hosted Sentry instance exposed to the web? It was brought up recently that the source of the login page includes a supportEmail.

[LionelVallet]

You're right, there is indeed the organization's support email in a script on the login page. The instance is publicly accessible, but I don't see how a bot could have guessed its URL, which isn't published or used anywhere at the moment.

[LionelVallet]

I tried to change the support and security email addresses with /manage/settings/. A toast confirmes my changes are saved but when un refresh the page, the administrator email is in the four email fields.

[hubertdeng123]

Going to put this task on the backlog for now to investigate.