Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy Issue During iOS Build #1990

Closed
leymytel opened this issue Aug 7, 2023 · 7 comments
Closed

Privacy Issue During iOS Build #1990

leymytel opened this issue Aug 7, 2023 · 7 comments

Comments

@leymytel
Copy link

leymytel commented Aug 7, 2023

Build/Submit details page URL

https://expo.dev/accounts/removed/projects/removed/builds/removed/

Summary

While attempting to build my iOS app using eas-cli, I encountered an "internal server error". Upon inspecting the logs, I noticed that I was able to view what seems to be another user's information. This raised a potential data privacy concern, and I wanted to bring it to the team's attention.

Managed or bare?

Bare

Environment

expo-env-info 1.0.5 environment info:
System:
OS: macOS 13.4.1
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
npm: 8.19.4 - ~/ryde/rider-app/node_modules/.bin/npm
Managers:
CocoaPods: 1.12.1 - /usr/local/bin/pod
SDKs:
iOS SDK:
Platforms: DriverKit 22.4, iOS 16.4, macOS 13.3, tvOS 16.4, watchOS 9.4
IDEs:
Android Studio: 2022.1 AI-221.6008.13.2211.9619390
Xcode: 14.3.1/14E300c - /usr/bin/xcodebuild
npmPackages:
@expo/metro-config: ^0.10.6 => 0.10.7
babel-preset-expo: ^9.3.2 => 9.5.1
expo: ^49.0.6 => 49.0.6
react: 18.2.0 => 18.2.0
react-dom: 18.2.0 => 18.2.0
react-native: 0.72.3 => 0.72.3
react-native-web: ~0.19.6 => 0.19.7
npmGlobalPackages:
eas-cli: 3.18.3
expo-cli: 6.1.0
Expo Workflow: bare

Error output

No response

Reproducible demo or steps to reproduce from a blank project

Unfortunately, I cannot provide a consistently reproducible demo, as the issue appeared to be intermittent. On my second attempt, the build functioned as expected.

@leymytel leymytel added the needs review Issue is ready to be reviewed by a maintainer label Aug 7, 2023
@szdziedzic
Copy link
Member

Hi, thanks for reporting this. Could you help me with understanding the issue better by explaining what the issue looked like when you observed it? What kind of information did you see?

@leymytel
Copy link
Author

Hi @szdziedzic, thanks for your reply.

I tried to build our app as normal and received an "Internal Server Error".
While checking the logs I realised that I can see someone else's information like the project was mine.
Nothing is related to my project.

Each of these sections have logs of their project: "Read Package.json", "Read app config", "Run expo doctor" and "prepare credentials".

Screenshot 2023-08-21 at 09 10 22

@szdziedzic
Copy link
Member

Thanks! I see it now. We are investigating the issue. We will get back to you when we have some more information.

@brentvatne
Copy link
Member

Hi @leymytel,

We are sorry that this happened, and we are taking this situation very seriously.

  • I have informed the developer whose logs leaked to your build details page of this incident.
  • We have determined that this was likely isolated to a specific incident involving two specific VMs, and we've followed up with what we believe will fix the issue. We will continue to work to try to reproduce the issue in our staging environment and verify that the fix is indeed sufficient. We'll also follow up with any required changes to monitoring that are required to detect if similar situations arise in the future.

Best,
Brent

@brentvatne brentvatne added issue accepted and removed needs review Issue is ready to be reviewed by a maintainer labels Aug 21, 2023
@expo-bot
Copy link
Contributor

Thank you for filing this issue!
This comment acknowledges we believe this may be a bug and there’s enough information to investigate it.
However, we can’t promise any sort of timeline for resolution. We prioritize issues based on severity, breadth of impact, and alignment with our roadmap. If you’d like to help move it more quickly, you can continue to investigate it more deeply and/or you can open a pull request that fixes the cause.

@brentvatne
Copy link
Member

this incident was resolved on August 21st, and we have posted about it here: https://blog.expo.dev/disclosure-for-eas-build-log-incident-c94d853631d6

thank you again for the report

@leymytel
Copy link
Author

Thank you @brentvatne for the updates.
I appreciate your transparency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants