Today's data whoopsie is brought to you by CircleCI: Source safe, but look out for phishers Software testing and delivery company CircleCI has apologised for exposing user data to the world and its dog. The company blamed a third-party analytics provider for the leak, which it was told about at the end of August. CircleCI is a continuous integration/continuous delivery software pipeline for Microsoft, Linux, Docker …
Well that's just fine and dandy, isn't it ? A 3rd-party is responsible. But of course, it's not your fault that you couldn't be arsed to keep the job in-house. On the contrary, you went 3rd-party because that gives you plausible deniability.
It does not. You should have vetted your 3rd party better.
It's still your fault.
They haven't locked down their web app JavaScript includes: Facebook, Hotjar, Amplitude, Google, and others have access to your production SSL keys, code, passwords, etc.
It's a quick smell test for whether a company actually cares about security: what third-party scripts are included in their "secure" web page areas. The default web developer doesn't know better, and it is hard to lock down third parties (best solution is to avoid unnecessary third-party shit like analytics, also can use iframes or more complex solutions like caja).
This guy asked them about this issue 2 years ago, and apparently they haven't done anything much about it which signals CircleCI's security is poor: https://kevin.burke.dev/kevin/circleci-is-hopelessly-insecure/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
