urql-devtools icon indicating copy to clipboard operation
urql-devtools copied to clipboard
verified publisher icon urql-graphql

security: Circle CI Dec 22, 2022 Breach Incident

Open kitten opened this issue 2 years ago • 3 comments

See for Incident Report

Related: https://github.com/urql-graphql/urql/issues/2927

Summary

Circle CI has reported that on December 22, 2022 attackers had access to their systems and were potentially able to extract stored data, encrypted at rest, and — more importantly — encryption keys from any running system. As far as I'm aware, this potentially affects any environment variable secret that is stored in Circle CI.

Procedure

As a safety precaution, I'd like to make sure we invalidate and rotate every secret that is stored in Circle CI that affects this repository.

We have no reason to believe any secrets were actually exposed or compromised just yet, but there's no excuse for us not to proactively rotate them.

Task

This repository is and has used Circle CI actively. The configuration file can be found here: https://github.com/urql-graphql/urql-devtools/blob/4e7f7f6366984595cd119788d05107b382dbaba6/.circleci/config.yml (Last updated: Mar 18, 2022)

The secrets listed in this file are:

  • CLIENT_SECRET (Chrome extension publishing secret)
  • FIREFOX_API_SECRET (Firefox extension publishing secret)
  • REFRESH_TOKEN (Chrome store API key)
  • npm_TOKEN (HIGH RISK, npm publishing token)

Note: The good news here is that the extension stores' publishing process is "sluggish", meaning, that we have a bit of time to rotate the secrets. The npm token's origin and access is probably more worrying.

These secrets should be invalidated as soon as possible.

cc @JoviDeCroock @gksander @andyrichardson @ryan-roemer

kitten avatar Jan 14 '23 15:01 kitten

I don't know where the npm_TOKEN comes from (ending in d33a). It may still be an access token by @andyrichardson and not granular. In case it is granular, I've disabled publishing via access tokens entirely temporarily (npm > Publishing access > "Require two-factor authentication and disallow tokens"), however, I believe granular tokens on npm are new (as of end of 2022) and hence the token may have access to all of Andy's packages 😅

kitten avatar Jan 14 '23 15:01 kitten

Cheers @kitten, I've revoked all my tokens on npmjs 👍

andyrichardson avatar Jan 14 '23 15:01 andyrichardson

Alright, I can take care of the extensions keys on Monday. I've got the login credentials for Firefox & Chrome in a 1Password vault, so I'll be able to go in and rotate them.

kitten avatar Jan 14 '23 15:01 kitten