Open LionelVallet opened 1 year ago
Does this email address leave my server? Is it sent to Sentry for marketing purpose? Does Sentry or one of its subcontractors have a data leak?
Is your self-hosted Sentry instance exposed to the web? It was brought up recently that the source of the login page includes a supportEmail
.
You're right, there is indeed the organization's support email in a script on the login page. The instance is publicly accessible, but I don't see how a bot could have guessed its URL, which isn't published or used anywhere at the moment.
I tried to change the support and security email addresses with /manage/settings/
. A toast confirmes my changes are saved but when un refresh the page, the administrator email is in the four email fields.
Going to put this task on the backlog for now to investigate.
Self-Hosted Version
23.7.1
CPU Architecture
x86_64
Docker Version
24.0.5
Docker Compose Version
2.20.2
Steps to Reproduce
Create an admin account on a newly deployed instance with a new unique and dedicated email.
Expected Result
Never receive phishing nor spam
Actual Result
I received a phishing attack on an email address created and dedicated for this purpose a few weeks after deployment. The email address is impossible to guess, contains the word "sentry", was never used anywhere else.
Event ID
No response