Security Alert: re: CircleCI's security incident (2023-01)

[watermint]

The project currently using CircleCI as building/packaging infrastructure.
CircleCI announced potential leakage of secrets.

• CircleCI security alert: Rotate any secrets stored in CircleCI

Impact

Impact to this project is minimal.
All your data aren't related to this incident.

Detail

(as of 2023-01-05)

The watermint toolbox obfuscates and stores your credentials (to connect with your Dropbox or Google accounts) on your PC when you connect to Dropbox, Google services, etc. For this obfuscation, watermint toolbox uses the data stored in CircleCI.

However, this is only obfuscation and does not directly protect your credentials and you should take care not to share the files stored under $HOME/.toolbox/secrets with anyone. In this sense, there is no increased security risk associated with this CircleCI security incident.

Update (2023-01-16)

After evaluation, there were no additional impact on this security incident by CircleCI.
Compared to risk & cost, I'll withdraw below changes which previously announced on (2023-01-05). Please add comments if you have any concerns, or reach out toolbox@watermint.org if you want to raise risk privately.

As a precautionary measure, the watermint toolbox will rotate the data used for obfuscation in the next release.

If you want to ensure that you address the impact of this CircleCI incident, you need to take the following steps.

• Remove watermint toolbox tokens from services you are connected to, such as Dropbox or Google, after the new release (we will update this document after the release)
• Delete all files stored under $HOME/.toolbox/secrets
• Re-connect to the required services such as Dropbox or Google with the new release version.

[watermint]

The project no longer use CircleCI. The issue fixed.