top | item 43366752

(no title)

bfelbo | 11 months ago

Cursor uploads files like credentials.json, .env, and .git-credentials to their servers for their Cursor Tab model. They do this despite those files being clearly credential secrets and even if these files are listed in .gitignore. See the link for a forum post with repro and details by a Cursor user.

You can use a .cursorignore file to prevent the upload, but you need to have that file present before you open the project in Cursor. You also need to update your .cursorignore file before saving any new credential files into your directory to prevent Cursor from uploading them.

Cursor users might feel safe when they have privacy mode enabled, but IMO that feels like false safety. The Cursor team have responded to the forum post describing the security issue saying that privacy mode only means that the sent files aren't stored in plaintext. They don't say anything about not training on uploaded files.

I have no affiliation with Cursor or any other AI IDE company. Sharing as I use Cursor myself and was shocked to see it autocomplete my own secrets and that it uploads such sensitive files.

discuss

No comments yet.