Travis CI exposes private creds of thousands of open source projects that rely on the service. Twitter user @peter_szilagyi Tweeted on Tuesday that “Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens. Felix Lange found this on the 7th and we’ve notified @travisci within the hour. Their only response being “Oops, please rotate the keys”, ignoring that *all* their infra was leaking. Not getting through, we’ve started reaching out to @github to have Travis blacklisted.” Needless to say, the community is livid!
<p>Travis-ci is a very useful tool to help developers spot coding errors at a very early stage. This vulnerability is a shock to the reliability and security of open-source (or formerly open sourced) tools that help build modern applications.</p>
<p>This also underscores the urgent need for experts like Felix Lange to help ensure critical infrastructure is protected. We need to continue our investment in growing the cybersecurity talent pool. We have the tools to find the next generation of experts such as Felix, now we need to continue our investment and development of talent to ensure resources like the open-source development stack remains a trusted backbone of software development.</p>
<p>It is well known that mobile apps themselves are a rich source of keys and secrets which can be used in automated scripts to attack APIs and most teams take steps to make this harder by obfuscating app code. What is less well know is that attackers can often get what they need from public or insecure repositories, as in this case.</p>
<p>This demonstrates the urgency of deploying API shielding technology at run-time if your business depends on apps. This is the only way to stop attackers compromising your APIs with any secrets they do manage to acquire.</p>