A flaw in popular software testing tool Travis CI exposed the secrets of thousands of open-source projects.
For at least a week – between 3-10 Sept – open-source repos that used Travis CI had their keys, credentials, and tokens exposed.
Ethereum developer Felix Lange discovered a flaw with how Travis CI handled environmental variables. Lange found that a public repo that had been forked from another could file a pull request that collects the secret environmental variables in the original upstream repository.
Péter Szilágyi, an Ethereum team leader, tweeted about the incident and the lacklustre response:
An analysis (PDF) from 2019 found that Travis CI was used for more than 932,977 open-source projects, a number that is likely even larger today.
Just look at the number of results following a GitHub code search for the travis.yml configuration file:
Travis CI did silently patch the vulnerability on 10 Sept, three days after it was reported. However, many developers aren’t happy that Travis CI seemingly attempted to sweep the whole incident under the rug and hasn’t been forthcoming with information:
Elsewhere on its website, Travis CI posted advice that “cycling your secrets is something that all users should do on a regular basis.”
Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit on 1 February 2022, where attendees will learn about the benefits of building collaboration and partnerships in delivery.