Get in Touch
Travis CI
Overview
For 7 days Travis CI pull requests were including secure environment vars in public repositories.
Impact
Signing keys, access credentials and API tokens may have been leaked, which could be used to gain a foothold onto thousands of customer networks.
Affected Products
Public repositories using TravisCI.
Containment, Mitigations & Remediations
Travis CI recommend you rotate your secrets. They have not reached out to affected parties or made any serious attempt to inform the public about the issue.
Based on the vendor response, the security researchers who found the vulnerability recommend switching away from Travis CI altogether.
Threat Landscape
In 2019 the company was acquired and a large portion of their development team was fired.
Mitre Methodologies
– T1555 – Credentials from Password Stores