Travis CI flaw exposed secrets of thousands of open source projects

Ax Sharma

from Ars Technica - All content on 2021-09-14 21:12 (#5PHRC)

Enlarge (credit: Getty Images)

A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables-signing keys, access credentials, and API tokens of all public open source projects-to be exfiltrated.

Worse, the dev community is upset about the poor handling of the vulnerability disclosure process and the brief "security bulletin" it had to force out of Travis.

Environment variables injected into pull request builds

Travis CI is a popular software-testing tool due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain:

Read 18 remaining paragraphs | Comments

index?i=h6sMJofqqY4:ziUBPn1_Jdg:V_sGLiPB

index?i=h6sMJofqqY4:ziUBPn1_Jdg:F7zBnMyn

Source	RSS or Atom Feed
Feed Location	http://feeds.arstechnica.com/arstechnica/index
Feed Title	Ars Technica - All content
Feed Link	https://arstechnica.com/