Reply to post: Flawed integrity check of a bash script can be hacked

Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months

A random security guy Bronze badge

Flawed integrity check of a bash script can be hacked

The Codecov integrity check itself can be hacked because the version string extracted from the shell file is neither properly quoted nor validated. Here is the proper Twitter reference:

https://twitter.com/lorenc_dan/status/1383598341347368967?s=19

What we know is the LAST file. There were many changes to the hacked file so we don't know what else the script could have done.

I was able to do a few more things with the flawed integrity check described at https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script

curl -s https://codecov.io/bash > codecov;

VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2);

for i in 1 256 512

do

shasum -a $i -c --ignore-missing <(curl -s https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM)

done

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021