We released sentry-cocoa 3.10.0, which resolves a security incident that may have affected users on macOS apps without a sandbox. We urge Mac users to update via CocoaPods, Carthage, or direct checkout. Without that update, it is possible that events may be sent to other users’ Sentry apps and installations.
Specifically, if a user has two Sentry-based apps on their Mac and App A crashes, the event from App A is sent to the configured project App B when it launches.
When we originally wrote sentry-swift and sentry-cocoa, the libraries were aimed towards iOS. Because we are quite limited by the operating system in what can be done at the time of the crash, we decided to dump out the crash info into one or more JSON files in the
NSCachesDirectory in an
io.sentry sub-folder. When the application is sandboxed, that folder is local to the application. However, we had not previously considered what would happen if Sentry is not used in a sandboxed environment (which can only happen on macOS), causing us to overlook that this folder is indeed shared across apps.
How we fixed it
With this update to sentry-cocoa 3.10.0, the crashes are now stored in sub-folders in
io.sentry that are based on the SHA1 hash of the client’s DSN. For security reasons, we no longer consult the old location. This means that, with this update, crashes that were created in older releases of Sentry will no longer be sent on the first relaunch after update.
What you should do
- If you are not using sentry-cocoa for macOS crashes or you are using the macOS sandbox you don’t need to do anything.
- If you are still using
sentry-swift, update to
- If you are using a version of
sentry-cocoalower than 3.10.0, update to
Please contact email@example.com with any questions or concerns.