Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Credential leak fears raised following security breach at Travis CI

Concern is growing within the infosec community that a breach at DevOps platform vendor Travis CI might run deeper than the firm has so far been prepared to admit.

Travis CI, a continuous integration and continuous delivery (CI/CD) service for cloud platform projects, admitted to an issue in a post on its community forums while also downplaying its significance:

According to a received report, a public repository forked from another one could file a pull request (standard functionality e.g in GitHub, BitBucket, Assembla) and while doing it, obtain unauthorized access to secret from the original public repository with a condition of printing some of the flies during the build process.

In this scenario secrets are still encrypted in the Travis CI database.

The issue is valid only for public repositories not private repositories. (In case of private repository, repository owner has a full control on ability of someone to fork the repository.)

The vendor said that it has resolved the underlying problem with a series of security patches, adding that users should consider making changes to their pass codes and authentication tokens as a precaution.

Security researcher Péter Szilágyi, team leader at Etherium, slammed Travis CI for dismissing a security breach that posed a supply chain poisoning risk to enterprises that used the vendor in their software development process.

“Between Sept 3 and Sept 10, secure env vars of *all* public @travisci repositories were injected into PR [pull request] builds,” Szilágyi said in a thread on Twitter. “Signing keys, access creds, API tokens. Anyone could exfiltrate these and gain lateral movement into 1000s of orgs.

“Felix Lange found this on the 7th and we’ve notified @travisci within the hour. Their only response being ‘Oops, please rotate the keys’, ignoring that *all* their infra[structure] was leaking.”

Szilágyi further criticised Travis CI for its failure to acknowledge reports of vulnerabilities to its systems or to follow incident response best practices. “No analysis, no security report, no post-mortem, not warning any of their users that their secrets might have been stolen,” he concluded.

Their poor handling of the problem ought to prompt its enterprise users to consider migrating away from Travis CI, Szilágyi advised.

Infosec specialist Jake Williams agreed that Travis CI was guilty of an “abysmal failure in handling an extremely serious vulnerability”.

Garbage

Travis CI is yet to respond to multiple requests from The Daily Swig to respond to these criticisms.

Even less critical third party observers noted that users attempting to follow Travis CI’s advice would likely run into practical difficulties.

“The fact that @travisci posted this without a straightforward way to see which of your repos are (1) public and (2) have build secrets is garbage,” said yan, a security engineer working on the privacy-focused Brave browser.

Source: https://portswigger.net/daily-swig/credential-leak-fears-raised-following-security-breach-at-travis-ci

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Popular DevOps platform CircleCI has blamed an attack that successfully planted malware on an internal engineer’s laptop for a recent security breach. The attack, acknowledged on January...

Cyber Security

Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform. The company said that although no...

Cyber Security

A new tool enables developers to better protect themselves against vulnerabilities in popular file converter ImageMagick, which has suffered from various security holes in...

Cyber Security

Prototype pollution is a dangerous bug class associated with prototype-based languages, the most popular among them JavaScript. One researcher, however, has found a variant of...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO