Replay: Make unmasking of detectable sensitive fields impossible #10258
Comments
Yes, we force masking of password inputs in rrweb itself!
There are ways to infer if something is a credit card field etc. I think I've written this down somewhere already at some point, but no idea where, but the easiest approach is to look at this: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete The following could be considered un-unmaskable:
this obv. only works if these are set, but they are also very reliable and we can pretty much rule out false positives there, I think. |
We had an issue where a replay that was explicitly unmasking everything had some input=password show its content. We'll investigate further. First look from @mydea had him say:
Additional context we received in how this situation can happen:
|
bruno-garcia
changed the title
This tests masking of initial & updated values for password & credit card fields. You can see that for now credit card data is not masked, which demonstrates the current behavior. In a future PR we can then verify that our fixed masking is working. ref getsentry/sentry-javascript#10258
This is on top of #165, actually fixing the behavior so that certain fields cannot be unmasked. This is a pretty straightforward fix, a bit "hacky" but should work well enough. Fixes getsentry/sentry-javascript#10258 --------- Co-authored-by: mydea <mydea@users.noreply.github.com>
This bumps our rrweb-fork to 2.11.0, which mainly includes an improvement to avoid capturing credit card inputs. See: https://github.com/getsentry/rrweb/releases/tag/2.11.0 Fixes #10258 I also added a test in replay itself to verify that this works as expected!
This bumps our rrweb-fork to 2.11.0, which mainly includes an improvement to avoid capturing credit card inputs. See: https://github.com/getsentry/rrweb/releases/tag/2.11.0 Fixes #10258 I also added a test in replay itself to verify that this works as expected!
This tests masking of initial & updated values for password & credit card fields. You can see that for now credit card data is not masked, which demonstrates the current behavior. In a future PR we can then verify that our fixed masking is working. ref getsentry/sentry-javascript#10258
This is on top of #165, actually fixing the behavior so that certain fields cannot be unmasked. This is a pretty straightforward fix, a bit "hacky" but should work well enough. Fixes getsentry/sentry-javascript#10258 --------- Co-authored-by: mydea <mydea@users.noreply.github.com>
Sentry Replay by default masks all text. But users are able to unmask things by opt-ing out of unmasking.
An additional safety net is to skip the unmasking process for some field types, like
type='password':Some sensitive fields are not well defined but somehow integrations like
1passwordcan pre-fill credit card and CVV info.Would be great to also avoid recording those altogether. To make sure someone who accidently (or due to malice) removed masking does not capture that data.
The text was updated successfully, but these errors were encountered: