Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Travis CI Vulnerability Potentially Leaked Customer Secrets

Travis CI Vulnerability Potentially Leaked Customer Secrets

This item in japanese

Popular continuous integration and delivery service Travis CI disclosed a vulnerability that potentially leaked secure environment variables, including signing keys, access credentials, and API tokens. The flaw was quickly fixed on September 10, but the developer community found Travis CI handling of this issue insufficient.

The vulnerability, which was described in a CVE advisory, allowed an unauthorized actor to get access to customer secrets by simply forking a repo and printing some files during the automated build process triggered by a PR.

Travis CI provided further details in a security bulletin published a few days after the patch was deployed. Specifically, the vulnerability only affected public repositories and only those that were forked.

If you have a Public Repository that was forked, then there was a possibility that someone from the forked (copied) project might have been able to have seen the original project’s Secret ONLY for a short time while doing a build.

Travis CI bulletin also made clear the vulnerability exposed sensitive data only during a build, while their security at rest was granted at all times through encryption.

According to Ethereum team lead Péter Szilágyi, the vulnerability was discovered by go-ethereum developer Felix Lange on September 7 and promptly notified to Travis CI. Here is when Travis CI started to be upsetting, Szilágyi continues.

Their only response being "Oops, please rotate the keys", ignoring that all their infra was leaking. Not getting through, we've started reaching out to @github to have Travis blacklisted.

It took three days of pressure, says Szilágyi, to get Travis CI take action and "silently patch" the issue, but without the required due diligence:

No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen.

Szilágyi's criticism was joined by several other developers both on Twitter and on Hacker News.

As mentioned, Travis CI issued a security bulletin providing more details about the vulnerability and clarifying they implemented security patches starting on September 3. They also reminded users that cycling secrets should be carried through on a regular basis.

InfoQ has reached out to Travis CI for a comment on community criticism but we haven't received yet a reply. We will update this article when Travis CI gets back to us.

Rate this Article