Security issue with the SDK #12
Comments
|
It captures only the SDK related data whenever there is a crash in the sdk @vaibhavpandeyvpz |
|
I just updated the DSN in your library and tested it with your "included" Sentry config options as below: 
Below is the modified code with updated DSN: 
Below is what was captured: File system paths: 
OS information & software patch versions: 
Package information: 
SDK consumer's customer's browser information: 
This crash information "must" remain private to the organization using the SDK, not Cashfree. To be honest, this is first time so far I've seen a server-side SDK hideously capturing unnecessary system and usage information without consent. Errors happening on the SDK consumer side should be dealt by them and reported to Cashfree when needed. These code snippets are almost equivalent to malicious inserts 99% of the users won't even notice while installing the package. Please get rid of this. |
|
Okay Okay. Understood. We will give the users more flexibility to choose whether they want to send additional information or not. By default, sdk will only capture stack trace. |
The SDK is configured to send information to Sentry on below lines:
This captures a lot of information about the app and/or server and sends it Cashfree's Sentry account without consent from the organization using the SDK. It may contain a lot of information about the visitor (IP, user agent) and server (installation path, other environment variables) which are meant to be kept secret and absolutely have no deal with Cashfree.
The text was updated successfully, but these errors were encountered: