Expert Comments – Travis CI Flaw Reveals *All* Keys, Credentials, And API Tokens, “Developers Furious”

By   ISBuzz Team
Writer , Information Security Buzz | Sep 17, 2021 03:50 am PST


Travis CI exposes private creds of thousands of open source projects that rely on the service. Twitter user @peter_szilagyi Tweeted on Tuesday that “Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens. Felix Lange found this on the 7th and we’ve notified @travisci within the hour. Their only response being “Oops, please rotate the keys”, ignoring that *all* their infra was leaking. Not getting through, we’ve started reaching out to @github to have Travis blacklisted.”   Needless to say, the community is livid!

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Doug Britton
Doug Britton , CEO
September 17, 2021 11:54 am

<p>Travis-ci is a very useful tool to help developers spot coding errors at a very early stage. This vulnerability is a shock to the reliability and security of open-source (or formerly open sourced) tools that help build modern applications.</p>
<p>This also underscores the urgent need for experts like Felix Lange to help ensure critical infrastructure is protected. We need to continue our investment in growing the cybersecurity talent pool. We have the tools to find the next generation of experts such as Felix, now we need to continue our investment and development of talent to ensure resources like the open-source development stack remains a trusted backbone of software development.</p>

Last edited 2 years ago by Doug Britton
George McGregor
George McGregor , VP of Marketing
September 17, 2021 11:53 am

<p>It is well known that mobile apps themselves are a rich source of keys and secrets which can be used in automated scripts to attack APIs and most teams take steps to make this harder by obfuscating app code. What is less well know is that attackers can often get what they need from public or insecure repositories, as in this case.</p>
<p>This demonstrates the urgency of deploying API shielding technology at run-time if your business depends on apps. This is the only way to stop attackers compromising your APIs with any secrets they do manage to acquire.</p>
<p> </p>

Last edited 2 years ago by George McGregor

Recent Posts

Would love your thoughts, please comment.x