Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Most Loved Programming Language Rust Sparks Privacy Concerns

Accepted submission by Anonymous Coward at 2021-04-04 06:20:07
Security

Most loved programming language Rust sparks privacy concerns [bleepingcomputer.com]

Rust developers have repeatedly raised concerned about an unaddressed privacy issue over the last few years. [...] However, for the longest time developers have been bothered by their production builds leaking potentially sensitive debug information.

In early 2017, a Rust developer filed an issue [github.com] on the Rust lang's GitHub asking, "How can I stop rustc [from] including system specific information such as absolute file paths of the source it's compiled from in the binaries it generates? [...] These absolute path names revealed the developer's system username and the overall structure of directories, including the home directory."

[...] On a first glance, this "leak" of usernames and absolute paths may seem trivial to a reader. However, over years, many more developers were left surprised to notice such information being included not just in debug builds but their production Rust builds as well [1, 2, 3, 4, ...] and pushed for a change.

[...] Interestingly, despite being a privacy risk, the inadvertent inclusion of metadata such as absolute paths may aid computer forensics experts and the law enforcement as the path could reveal system usernames. Of course, any developer who is aware of this issue can trivially build their Rust applications inside of a container, and use a pseudonymous username to minimize impact from the issue.

======== Extended Copy ==========

To understand if Rust considered this a vulnerability or planned on a bug fix, BleepingComputer reached out to the Rust core team for comment.

"We agree that this is a bug worth fixing and will be supporting our teams in solving it," Manish Goregaokar of the Rust team and a senior software engineer at Google told BleepingComputer.

Although at this time, it is not known how or when the Rust team plans on resolving this issue, the increased pressure from the developer community seems to be steering Rust maintainers into an actionable direction.


Original Submission