In the open source repository fuselibs-public
, we accidentally leaked a username and password for TeamCity. They were not stored directly in the repo, but were contained in a shell script which is downloaded as part of the build process. The password has now been changed.
In the Devtools
repo, we had a shell script that had some functions for interacting with TeamCity. This used "Basic Authorization", which means the script had a hardocded base64 encoded username and password for the teamcity
user on TeamCity. This user has access to basically everything on TeamCity, including build logs, branch names, build artifacts etc., from all the projects running in TeamCity. The user does not have administrator access, so it could not have created other users, changed other passwords, seen or changed project configurations etc.
If anyone found the username and password and logged into teamcity, it is possible that they viewed the build parameters of a build, which displays the token we use to upload files to our cloud storage, and change redirects on go.fusetools.com.
This password did not give access to our closed source repositories. A user who logged in to teamcity would be able to view patches for each build, and thus in theory be able to see any part of our source code. But stiching this together into the full source code would be very hard.
The token for uploading Fuse releases is encrypted and has not been leaked.
Since the username and password were not stored directly in the repository, but rather in another closed source repository, it would not have been picked up by bots that scrape GitHub for vulnerabilities like this one. Also, the repository had to be cloned and built before the file containing the password would be available. Many people have built the repository and gotten the password available on disk, but it is impossible to know whether someone actually read these scripts. These scripts are not actually used by fuselibs developers, so unless someone went reading through obscure parts of the repo after building, they would not have found them. But developers are curious, so they might very well have done so.
When fuselibs-public
was open sourced, in April 2017.
- The password for the
teamcity
user was changed - The token for uploading to files.fusetools.com and changing redirects was changed
- Analyzed TeamCity access logs since October 2016 and internal logs on TeamCity since January 2017 to check that no unauthorized access has taken place
- Went through redirects on go.fusetools.com and checked that none were tampered with
- The script in the devtools repo was updated to no longer interact with TeamCity
- New devtools.stuff was distributed to master on:
- Uno
- Fuselibs
- Premiumlibs
- Fuse
- example-docs
- TC panel updated with separate user
- Updated password for TeamCity nuget server used in the Fuse repo