Security News > 2023 > January > CircleCI – code-building service suffers total credential compromise

CircleCI – code-building service suffers total credential compromise
2023-01-09 19:52

If you're a programmer, whether you code for a hobby or professionally, you'll know that creating a new version of your project - an official "Release" version that you yourself, or your friends, or your customers, will actually install and use - is always a bit of a white-knuckle ride.

The idea is simple: every time anyone makes a change in their part of the project, grab that person's new code, and whisk them and their new code through a full build-and-test cycle, just like you would before creating a final release version.

Builds happen all day, every day, so that coders can tell long in advance if they've inadvertently made "Improvements" that negatively affect everyone else - breaking the build, as the jargon might say.

Sure, even after a successful test build, your new code may still have bugs in it, but at least you won't get to the end of a development cycle and then find that everyone has to go back to the drawing board just to get the software to build and work at all, because the various components have drifted out of alignment.

Early software development methods were often referred to as following a waterfall model, where everyone worked harmoniously but independently as the project drifted gently downriver between version deadlines, until everything came together at the end of the cycle to create a new release, ready to plunge over the tumultuous waterfall of a version upgrade, only to emerge into another gentle period of clear water downstream for further design and development.

Cybercriminals may now have access tokens and cryptographic keys that could give them a way back into your own network, especially because CI build processes sometimes need to "Call home" to request code or data that you can't or don't want to upload into the cloud.


News URL

https://nakedsecurity.sophos.com/2023/01/09/circleci-code-building-service-suffers-total-credential-compromise/