WingNews logo WingNews GitHub [2]
top | item 33906591

Tell HN: Travis CI is seemingly compromised (once again)

160 points| spondyl | 3 years ago | reply

A number of Travis CI users appear to have had Travis CI tokens revoked by Github in response to suspicious activity surrounding token.

Travis themselves have still not issued any notice or acknowledged this incident so it's worth letting the community know if they weren't already aware.

From memory, this will be the second breach in 2022 (https://blog.aquasec.com/travis-ci-security) in addition to last year's secret exposure (https://arstechnica.com/information-technology/2021/09/travi...)

---

A sampling of users on Twitter who have run into this issue:

https://twitter.com/peter_szilagyi/status/160059327410805555...

https://twitter.com/yaqwsx_cz/status/1600599797118996491

https://twitter.com/samonchain/status/1600611567606775808

https://twitter.com/dzarda_cz/status/1600613369408634886

https://twitter.com/samonchain/status/1600611567606775808

---

An example notice being sent out by Github (in lieu of Travis themselves taking any action):

> Hi {username}

> We're writing to let you know that we observed suspicious activity that suggests a threat actor used a Personal Access Token (PAT) associated with your account to access private repository metadata.

> Out of an abundance of caution, we reset your account password and revoked all of your Personal Access Tokens (classic), OAuth App tokens, and GitHub App tokens to protect your account, {username}.

53 comments

order
[+] stuaxo|3 years ago|reply
Not surprising after they got rid of so many devs, reminds me of another company who did that recently, I wonder how long we will have to wait for that to start having issues.
[+] rattlesnakedave|3 years ago|reply
I’m sure any day now. Better hold your breath!
[+] jahnu|3 years ago|reply
I think it’s fair to say it’s been surprising to many of us that it hasn’t had any major public issues yet. I speculate that changing it, adding features, upgrading deps, is now slow and difficult as all hands are probably busy keeping it just functional.
[+] stronglikedan|3 years ago|reply
The other company got rid of freeloaders, so it could afford devs, and it's already better off for it.
[+] transcriptase|3 years ago|reply
I hope it has someone wealthy backing it, or access to software engineers capable of untangling the truly astonishing complexity of the product. I wouldn’t want to see a company fail because top Silicon Valley talent would never compromise ethically for high compensation if they needed to bring on developers in a pinch.
[+] piskerpan|3 years ago|reply
I’m surprised it’s still around. Since GitHub released Actions and Travis abandoned the freemium, there weren’t many reasons to stay
[+] fmajid|3 years ago|reply
I can't believe it took me so long to formally flip the bozo bit on Travis CI by instructing my RSS feed reader never to show me anything about it any more.
[+] p0nce|3 years ago|reply
arm64 is one reason.
[+] nailer|3 years ago|reply
Travis the company had an exit a few years ago, the general feeling since is that the product isn't really maintained anymore. If your needs are simple, GitHub Actions works well, if you need features like insane parallelization, use Circle.
[+] mjlawson|3 years ago|reply
Github Actions supports heavy parallelization and fan-in/fan-out jobs just like CircleCI does, so I'm curious if there's some limitations that I haven't ran into yet. I'd go farther to say that their documentation is much richer and easier to search for.
[+] NuMessiah|3 years ago|reply
Github audit log is unusable when trying to figure out what the "suspicious activity" is. For the repo category only the actions which change something are logged. At least for the enterprise plan I would like to see the audit log more like the AWS CloudTrail. Just log all the API calls.
[+] ethbr0|3 years ago|reply
And maybe highlight some? Github's internal systems already triggered on something, so why not (at least generally, to preserve method) indicate that to a user?
[+] josteink|3 years ago|reply
I remember using Travis for everything (although on their free tier).

After they did organizational changes, and some other stuff, I noticed my builds were hardly running. Many never started, and ever more never completed.

Travis was causing more issues than it solved for my projects' Github PRs.

I'm honestly surprised to see people still using Travis now, a few years down the line.

[+] sensitivefrost|3 years ago|reply
Bug bounty people (myself included, though mine's quite aged) have written scrapers on all the main popular CI/CD platforms, to automagically scrape tokens from logs & submit bug reports to get paid. Unsurprising if malicious actors have done the same.
[+] ransom1538|3 years ago|reply
I might get a ton of hate here. But just use jenkins [if you cannot use modern tools like GHA]. Put it on a port 8085 for example, go to your cloud providers security rules, block all requests to port 8085 that are not using a VPN. Sleep like a baby at night. The end.
[+] jesuspiece|3 years ago|reply
People use TravisCI still? GitHub actions, Circle, AWS Pipelines...There was so many better options
[+] barbazoo|3 years ago|reply
Same was said about CircleCI yesterday.
[+] hdjjhhvvhga|3 years ago|reply
As a long-time Jenkins user who never hopped the Travis/Circle bandwagon, is there any reason to consider these in 2023?
[+] djbusby|3 years ago|reply
I used to be Jenkins user. Now I'm all in on GitLab and it's got some cool CI things.

Migrating was tedious, not difficult. We went slow, took a while and needed little scaffolding

[+] jghn|3 years ago|reply
I saw this happen in a couple of orgs I’m in that don’t use Travis, at least to my knowledge
[+] nstart|3 years ago|reply
If a team member uses a personal token with Travis and the personal token can access private org repos, there’s a chance this can trigger.
[+] zaps|3 years ago|reply
The whole travis-ci.org vs travis-ci.com thing was too confusing