IntelliJ GitHub Plugin leaking credentials
blog.jetbrains.comIt seems like GitHub is rejecting requests from affected IDE versions. We discovered this yesterday because PR integration was not working even though the GitHub login/token was correct. Issue resolved by upgrading the IDE to the latest version.
Off topic -- how does the JetBrains website display "IntelliJ" text in stylized "iJ" at the end of IntelliJ? Some CSS magic?
I tried editing the text using the developer tools and this styling only applies when the text is IntelliJ or any word that starts with this exact string (case sensitive)
That effect comes from their font - "Jetbrain Sans"
Have you seen whose weird "fonts for programmers" that make != look like a single character? Same thing.
(Btw I hate that)
That’s font ligature. Basically when two glyphs/symbols are one after another, they have a different glyph to show both of them.
What is the actual vulnerability? The post is super light on details.
Sounds like they added token to all requests done by the plugin, so when you opened a pull request and linked an image from 3rd party, the 3rd party would receive your token.
Good idea to rotate your tokens on a regular basis, but in this case, go ahead and do it now (if you use this tool and plugin)
better even, don’t use never-expiring tokens/credentials that need rotation.
Expiration is still a form of rotation. Also, GitHub doesn't provide never-expiring tokens, all of their tokens have expiration policies and need regular rotation. That doesn't mean that there aren't good reasons (such as in this case vulnerable applications) to manually rotate even before the expiration date.
IIRC, GH classic tokens can never expire.
I have a client who was using JetBrains' TeamCity CI product. Was a clown show of vulnerabilities that allowed attackers access to internals.
Do not use their products. If you must for some reason, be sure you subscribe to critical CVEs of the products you are using and update them immediately and rotate your credentials. Ideally re-install on a fresh server. Never have the service available via the public web, it will be hacked - only use their products behind a VPN.
https://blog.jetbrains.com/teamcity/2024/02/critical-securit... https://blog.jetbrains.com/teamcity/2024/03/additional-criti...
Their plugins are a (very) mixed bag, but saying to not use their products is a bit too alarmist if you ask me - the baseline IDE is doing fairly well, and teamcity and doing your GitHub-specific PR-stuff from within intelliJ is kind of niche overall I would assume (I've never used either, only the stock git client they have)
That's fair. I have limited experience with the rest of their offerings. They only came onto my radar because of regular critical CVEs that needed urgent fixing. The communication from the company had no hint of apology - just "hey, better fix this before your server is p0wned" - which did not seem like they were to be taken seriously.
I kind of have to agree but their software products are huge, it's difficult to say if they are particularly bad. Don't expose their products on the open web is good advice but it applies to many products not just theirs (like gitlab/gitea).
Android Studio is built on IntelliJ platform, this is not a choice a developer always can make
—-
P.S. yes it is possible to develop Android apps without studio, but it is painful to setup and manage , developers should not be fighting the system to do their jobs
This is the second time today I’ve seen this but it is dated the 10th how come it’s taken everyone so long to notice?
I don't understand what you mean: a blog post was published on the 10th, you saw a link to it twice today, so "everyone" took "so long to notice"?
I'm teasing, it's just a surprisingly increasing fallacy I see: "Why is the rate at which I saw things not the rate I expect? What did They mean by this?"
> I'm teasing, it's just a surprisingly increasing fallacy I see: "Why is the rate at which I saw things not the rate I expect? What did They mean by this?"
Indeed, I have been noticing this form of fallacity lately too. it pops up everywhere. It seems to be related to the recent trend of boldly stating opinions about anything, without having any domain knowledge, which seem to have been popularized by a certain orange.
Well considering the amount I’m on here, Reddit, and various tech slacks seeing something like this repeatedly normally means it’s just been posted. I’m kinda wondering if they didn’t do the usual promotion.
Obviously Big Kotlin is suppressing the news.
It didnt ? I have got three different advisories from infosec this week, even customers have asked about it