Hacker News new | past | comments | ask | show | jobs | submit login

Hi, I wrote that post. I don’t think that this is quite the same issue.

The 2019 post is vague but I think what happened is an attacker stole the credentials for e.g CircleCI’s account for Google Analytics. So an attacker could see URL’s that were visited, IP addresses, but they couldn’t run JavaScript on CircleCI’s domain.

The difference is between an attacker compromising the Google Analytics JavaScript snippet CDN and an attacker compromising a Google Analytics user account. The latter only lets you read the metadata not make any of the juicy AJAX calls.

(Also, it’s probably not actually Google Analytics, just listing a tool most people are familiar with).

It’s obviously not good but it’s not the same vulnerability I wrote about nor as bad as the one I described two years ago.




Yeah, it didn’t look like the same issue.

However if they haven’t resolved an obvious security issue in two years, that is a strong signal that security is a low priority, which is relevant to their risk of compromise (as has occurred).

Integrating third-party JavaScript has multiple known solutions that are secure, but they require choosing compromises and are usually significant work to implement. If CircleCI haven’t fixed serious security issues after 2 years then it it shows they probably don’t care enough about security - a very bad signal.

The question was: have they mitigated the security issue you raised, or ignored it?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: