Skip to content

Instantly share code, notes, and snippets.

@knatten

knatten/auth-leak.md

Last active October 6, 2017 12:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save knatten/d71f9e39dd6996a3a90e5516b2971497 to your computer and use it in GitHub Desktop.
Save knatten/d71f9e39dd6996a3a90e5516b2971497 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
auth-leak.md

Intro

In the open source repository fuselibs-public, we accidentally leaked a username and password for TeamCity. They were not stored directly in the repo, but were contained in a shell script which is downloaded as part of the build process. The password has now been changed.

What was leaked, and how

In the Devtools repo, we had a shell script that had some functions for interacting with TeamCity. This used "Basic Authorization", which means the script had a hardocded base64 encoded username and password for the teamcity user on TeamCity. This user has access to basically everything on TeamCity, including build logs, branch names, build artifacts etc., from all the projects running in TeamCity. The user does not have administrator access, so it could not have created other users, changed other passwords, seen or changed project configurations etc.

Possible indirect leaks

If anyone found the username and password and logged into teamcity, it is possible that they viewed the build parameters of a build, which displays the token we use to upload files to our cloud storage, and change redirects on go.fusetools.com.

Source code

This password did not give access to our closed source repositories. A user who logged in to teamcity would be able to view patches for each build, and thus in theory be able to see any part of our source code. But stiching this together into the full source code would be very hard.

Fuse releases

The token for uploading Fuse releases is encrypted and has not been leaked.

Likelihood of misuse

Since the username and password were not stored directly in the repository, but rather in another closed source repository, it would not have been picked up by bots that scrape GitHub for vulnerabilities like this one. Also, the repository had to be cloned and built before the file containing the password would be available. Many people have built the repository and gotten the password available on disk, but it is impossible to know whether someone actually read these scripts. These scripts are not actually used by fuselibs developers, so unless someone went reading through obscure parts of the repo after building, they would not have found them. But developers are curious, so they might very well have done so.

When was it leaked

When fuselibs-public was open sourced, in April 2017.

What have we done about it

  • The password for the teamcity user was changed
  • The token for uploading to files.fusetools.com and changing redirects was changed
  • Analyzed TeamCity access logs since October 2016 and internal logs on TeamCity since January 2017 to check that no unauthorized access has taken place
  • Went through redirects on go.fusetools.com and checked that none were tampered with
  • The script in the devtools repo was updated to no longer interact with TeamCity
  • New devtools.stuff was distributed to master on:
    • Uno
    • Fuselibs
    • Premiumlibs
    • Fuse
    • example-docs
  • TC panel updated with separate user
  • Updated password for TeamCity nuget server used in the Fuse repo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment