Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: Circle CI Dec 22, 2022 Breach Incident #402

Open
kitten opened this issue Jan 14, 2023 · 3 comments
Open

security: Circle CI Dec 22, 2022 Breach Incident #402

kitten opened this issue Jan 14, 2023 · 3 comments
Assignees
@kitten

Comments

@kitten
Copy link
Member

kitten commented Jan 14, 2023
edited
Loading

See for Incident Report

Related: urql-graphql/urql#2927

Summary

Circle CI has reported that on December 22, 2022 attackers had access to their systems and were potentially able to extract stored data, encrypted at rest, and — more importantly — encryption keys from any running system. As far as I'm aware, this potentially affects any environment variable secret that is stored in Circle CI.

Procedure

As a safety precaution, I'd like to make sure we invalidate and rotate every secret that is stored in Circle CI that affects this repository.

We have no reason to believe any secrets were actually exposed or compromised just yet, but there's no excuse for us not to proactively rotate them.

Task

This repository is and has used Circle CI actively. The configuration file can be found here: https://github.com/urql-graphql/urql-devtools/blob/4e7f7f6366984595cd119788d05107b382dbaba6/.circleci/config.yml (Last updated: Mar 18, 2022)

The secrets listed in this file are:

  • CLIENT_SECRET (Chrome extension publishing secret)
  • FIREFOX_API_SECRET (Firefox extension publishing secret)
  • REFRESH_TOKEN (Chrome store API key)
  • npm_TOKEN (HIGH RISK, npm publishing token)

Note: The good news here is that the extension stores' publishing process is "sluggish", meaning, that we have a bit of time to rotate the secrets. The npm token's origin and access is probably more worrying.

These secrets should be invalidated as soon as possible.

cc @JoviDeCroock @gksander @andyrichardson @ryan-roemer
@kitten kitten mentioned this issue Jan 14, 2023
Closed
@kitten
Copy link
Member Author

kitten commented Jan 14, 2023

I don't know where the npm_TOKEN comes from (ending in d33a). It may still be an access token by @andyrichardson and not granular. In case it is granular, I've disabled publishing via access tokens entirely temporarily (npm > Publishing access > "Require two-factor authentication and disallow tokens"), however, I believe granular tokens on npm are new (as of end of 2022) and hence the token may have access to all of Andy's packages 😅

@andyrichardson
Copy link
Collaborator

Cheers @kitten, I've revoked all my tokens on npmjs 👍

@kitten
Copy link
Member Author

kitten commented Jan 14, 2023

Alright, I can take care of the extensions keys on Monday. I've got the login credentials for Firefox & Chrome in a 1Password vault, so I'll be able to go in and rotate them.

@kitten kitten self-assigned this Jan 14, 2023
@JoviDeCroock JoviDeCroock mentioned this issue Feb 14, 2023
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kitten kitten

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kitten @andyrichardson