Between the 3 Sept and 10 Sept, secure env vars of *all* public @travisci repositories were injected into PR builds. Signing keys, access creds, API tokens.

Anyone could exfiltrate these and gain lateral movement into 1000s of orgs. #security 1/4…
Felix Lange found this on the 7th and we've notified @travisci within the hour. Their only response being "Oops, please rotate the keys", ignoring that *all* their infra was leaking.

Not getting through, we've started reaching out to @github to have Travis blacklisted. 2/4
After 3 days of pressure from multiple projects, @travisci silently patched the issue on the 10th.

No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen. 3/4
Finally after multiple ultimatums from multiple projects @travisci posted this lame ass post hidden deep where nobody will read it:…

Not even a single "thank you". Not acknowledgment of responsible disclosure. Not even admitting the gravity of it all. 4/4
Due to the extremely irresponsible way @travisci handled this situation, and their subsequent refusal to warn their users about potentially leaked secrets, we can only recommend everyone to immediately and indefinitely transfer away from Travis.
Just for posterity, here's their original announcement. I do hope they update it to something more meaningful.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Péter Szilágyi (karalabe.eth)

Péter Szilágyi (karalabe.eth) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @peter_szilagyi

23 Aug
It took me a long time to figure out that "this code is shitty" also entails the assumption that I am smarter than the one who wrote it.

If you accept that the other person is also smart, you'll ask "why is this code shitty"? Almost always there's a very good reason behind it.
Often the reason is that a code base evolves across many years where assumptions/invariant change. But you can't always restart from scratch. You need to keep things moving while you evolve, which entails temporary - but potentially long lasting - hacks.
E.g. Geth's data format is bashed for being suboptimal. Well, we know what a better format is, except it breaks sync protocols, so pretty much every other fast syncing client. We've worked hard to find a viable replacement, but we need other clients to jump on to not nuke them.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!