Travis CI flaw exposed secrets of thousands of open source projects (Ars Technica)
Travis CI flaw exposed secrets of thousands of open source projects (Ars Technica)
[Security] Posted Sep 16, 2021 15:42 UTC (Thu) by corbet
This Ars Technica article describes a problem with the Travis continuous-integration service:
A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.
Any project storing secrets in this service would be well advised to replace them.