"CircleCI trusts 8 analytics companies with your source code and API tokens, October 9, 2017. When you navigate to your project in CircleCI's UI, Javascript from eight different analytics companies gets loaded and executed in your browser."
So, did they do anything about that?
Even if using iframes and a secure api over postMessage/onmessage: safe, and security can be controlled by the external provider i.e. safer for both parties (ideally the servers pass the security context between each other - we even use an iframe internally for all the same reasons).
Google allows custom JS injection via Tag manager, so there are possible vectors, even if only access to 3rd party site was stolen. Of course I have no idea what was the deal here.
It's worth noting, that CircleCI did nothing to address issues raised in the linked post. Their main app still loads tons of third party analytics garbage for e.g. Google, Hotjar, Amplitude and even Facebook of all people. I do block all those, but as someone pointed out it's not a solution and cant even be reliable at all times.
Please bear in mind, that CircleCI not only has access to private repositories. More often then not they do store private SSH keys to your production servers.
Hi, I wrote that post. I don’t think that this is quite the same issue.
The 2019 post is vague but I think what happened is an attacker stole the credentials for e.g CircleCI’s account for Google Analytics. So an attacker could see URL’s that were visited, IP addresses, but they couldn’t run JavaScript on CircleCI’s domain.
The difference is between an attacker compromising the Google Analytics JavaScript snippet CDN and an attacker compromising a Google Analytics user account. The latter only lets you read the metadata not make any of the juicy AJAX calls.
(Also, it’s probably not actually Google Analytics, just listing a tool most people are familiar with).
It’s obviously not good but it’s not the same vulnerability I wrote about nor as bad as the one I described two years ago.
However if they haven’t resolved an obvious security issue in two years, that is a strong signal that security is a low priority, which is relevant to their risk of compromise (as has occurred).
Integrating third-party JavaScript has multiple known solutions that are secure, but they require choosing compromises and are usually significant work to implement. If CircleCI haven’t fixed serious security issues after 2 years then it it shows they probably don’t care enough about security - a very bad signal.
The question was: have they mitigated the security issue you raised, or ignored it?
