Expert Comments - Travis CI Flaw Reveals *All* Keys, Credentials, And API Tokens, "Developers Furious"

BACKGROUND:

Travis CI exposes private creds of thousands of open source projects that rely on the service. Twitter user @peter_szilagyi Tweeted on Tuesday that “Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens. Felix Lange found this on the 7th and we’ve notified @travisci within the hour. Their only response being “Oops, please rotate the keys”, ignoring that *all* their infra was leaking. Not getting through, we’ve started reaching out to @github to have Travis blacklisted.” Needless to say, the community is livid!

Felix Lange found this on the 7th and we've notified @travisci within the hour. Their only response being "Oops, please rotate the keys", ignoring that *all* their infra was leaking.

Not getting through, we've started reaching out to @github to have Travis blacklisted. 2/4
— Péter Szilágyi (karalabe.eth) (@peter_szilagyi) September 14, 2021

About the Author

ISBuzz Team

The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

The Battle for Identity Security: Key Insights from the ManageEngine Identity Security Survey 2024

Password Basics: Why Mastering Fundamentals Is Crucial in Today’s Complex Cybersecurity Landscape

Passkeys and Cybersecurity Awareness: A New Era of Business Security

Working With Us

Write For Us

The Pages

Expert Comments – Travis CI Flaw Reveals *All* Keys, Credentials, And API Tokens, “Developers Furious”