Travis CI Flaw Exposed Secrets of Thousands of Open Source Projects
upstart writes:
Travis CI flaw exposed secrets of thousands of open source projects:
[Travis CI is a popular software-testing tool due to its seamless integration with GitHub and Bitbucket.]
A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables-signing keys, access credentials, and API tokens of all public open source projects-to be exfiltrated.
Worse, the dev community is upset about the poor handling of the vulnerability disclosure process and the brief "security bulletin" it had to force out of Travis.
When you run a build, Travis CI clones your GitHub repository into a brand-new virtual environment and carries out a series of tasks to build and test your code. If one or more of those tasks fail, the build is considered broken. If none of the tasks fail, the build is considered passed and Travis CI can deploy your code to a web server or application host.
But this month, researcher Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables of all public open source repositories that use Travis CI into pull request builds. Environment variables can include sensitive secrets like signing keys, access credentials, and API tokens. If these variables are exposed, attackers can abuse the secrets to obtain lateral movement into the networks of thousands of organizations.
Read more of this story at SoylentNews.