Except uninstallining the app does not equal removing it, as you claim. Removing it from list of apps to load is not removal. Not to mention it resets back to installed and you have to rerun the command.
But it is legal to buy and sell pieces of them or dissolve them. What is your market cap? Oh wait, buying you is illegal.
People keeping on saying that cliché that like it is somehow profound or a great statement of injustice. When saying it just really just shows that they don't understand that corporations are basically people by transitive property.
This is done for a very good reason because not doing so allows for all the myriad abuses through the back door if corporations were declared "not people".
I don't see how this is specific to "exploiting CI / CD Pipelines" when he's really just exploiting someone encoding their github username AND password credentials (unorthodox af) into the url for remote.
Yes, that first part was not. But the article continues like this:
- they use that credentials to make a commit adding malicious code to the CI pipeline
- The rouge pipeline job adds their public SSH key to the `.allowed_keys` file in the production server
As the pipeline is run automatically on push, they get ssh access to the remote server.
That is the "CI / CD Pipelines" bit. That being said, it's a bit underwhelming, because given the title I though they were going to exploit a bug in the CI/CD software itself. I don't know if I'd call that "exploiting" CI/CD software.
Because 1) the .git directory was deployed with the app code (the exploit vector), and 2) the deployment pipeline automatically integrated and pushed the attacker’s commit to a production system (completing the exploit), I’d say that claim is accurate. These are both defects in the thing the attacker claims to have exploited.
It sure wasn’t a good decision to use git-config to store creds for CI though! I wonder if OP found a developer’s old cached creds in the history that weren’t used anymore but happened to still be valid?
