Coin miner breach?

msvrtan · December 4, 2016, 11:59am

I’we just noticed that there is a coin miner running on my CircleCI setup!

https://circleci.com/gh/msvrtan/cqrs1/72

I cant figure out how it got to run since my project has no PR’s, has no forks, not branch named pull/2 but this is running on my CircleCI

schwamster · December 6, 2016, 7:00am

+1

I also got an email from circle ci saying i should “Disable permissive forked PR builds” which i havent ever enabled.

I would also very much like to know how to avoid that

RoboticCheese · December 6, 2016, 10:57pm

Looks like we’re being hit by the same malicious GitHub user. I reported them for abuse today after one of my projects was flagged. Seems the account is dedicated to forking assorted repos to misuse CircleCI.

The pull requests not really existing makes me think they’re exploiting a bug in the GitHub API, but I’ll see what they say.

zzak · December 7, 2016, 6:03am

Hello!

Thank you for reaching out about this issue. We’re aware and working through it now.

If you haven’t could you please send an email to support@circleci.com?

JoshSmith · December 7, 2016, 9:53pm

We are not currently receiving the support we’ve come to expect from Circle. I understand that it appears you have discovered a potentially rather frightening vulnerability and that you need to evaluate thoroughly before posting a public post-mortem.

However, here’s the situation we’re in now:

Forked builds are not being created at all. We received no warning that this would happen and discovered it only by accident when triaging PRs on GitHub.

Support staff took 3 hours for the first reply, indicating only that there was a bug fixed (without explanation) and that I can revert the functionality by enabling permissive forked PR builds.
We need builds that do not expose environment variables and these builds apparently no longer happen. I’m still not understanding why because your support staff has not clarified.
After raising further concerns asking for explicit details as to the bug, possible vulnerabilities, and steps I should take now on my end, I received a pretty blasé “we understand your concerns” reply with no additional details, no timeline, and no promise of further follow-up by an actual support engineer.

As a result, I’m now standing idly by wondering whether we should roll keys or other sensitive information or what other steps we must take to protect ourselves and our data.

We’ve been left hanging without any insight whatsoever. Please address these concerns – if not in public, at least with your customers who are begging for you to address them.

tom · December 8, 2016, 8:45am

We have been in touch directly with Josh (and all affected customers) since this post.

The issue being discussed is complex so we haven’t published a public post-mortem yet. Please don’t hesitate to contact us directly if you have any more concerns.

katy · January 24, 2018, 12:36pm

Where can I find the public post-mortem for this?

Topic		Replies	Views
Pull Request from forked repo's are not being tested Feedback & Bug Reports github	6	2751	June 18, 2018
User created pull request that ran miner from circle.yml - how can that be prevented? Product Feedback	2	1041	June 18, 2018
CircleCi Not Updating PR With Build Status On Build Environment github	1	1089	June 18, 2018
Change in github auth Feedback & Bug Reports	1	671	June 18, 2018
CircleCI broken -- using unknown key to checkout forked repos Build Environment	4	1207	June 18, 2018

Coin miner breach?

Related Topics