A service that helps open source developers write and test software leaks thousands of authentication tokens and other security-sensitive secrets. Many of these leaks give hackers access to developers’ private accounts on Github, Docker, AWS and other code repositories, security experts said in a new report.
The availability of Travis CI’s third-party developer credentials has been an ongoing issue since at least 2015. At that time, security vulnerability service HackerOne reported that a Github account it was using had been compromised when the service had exposed an access token for one of the HackerOne developers. A similar leak showed up again in 2019 and again last year.
Tokens give anyone with access to them the ability to read or modify code stored in repositories that distribute countless software applications and current code libraries. The possibility of gaining unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it is distributed to users. Attackers can leverage their ability to alter the application to target a large number of projects that rely on the application in production servers.
Although it is a known security issue, the leaks have continued, report researchers from Aqua Security’s Nautilus team. A series of two datasets accessed by the researchers using the Travis CI programming interface produced 4.28 million and 770 million logs from 2013 to May 2022. After sampling a small percentage of the data, researchers have found what they believe to be 73,000 tokens, secrets, and various degrees.
“These access keys and credentials are tied to popular cloud service providers including GitHub, AWS, and Docker Hub,” Aqua Security said. “Attackers can use this sensitive data to launch massive cyberattacks and move laterally through the cloud. Anyone who has ever used Travis CI is potentially at risk, so we recommend spinning your keys immediately.”
Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing every code change that has been committed. For each change, the code is regularly built, tested and merged into a shared repository. Given the level of access CI needs to function properly, environments typically store access tokens and other secrets that provide privileged access to sensitive parts of the cloud account.
Access tokens found by Aqua Security involved private accounts from a wide range of repositories, including Github, AWS, and Docker.
Here are examples of exposed access tokens:
- GitHub access tokens that can allow privileged access to code repositories
- AWS Access Keys
- Sets of credentials, usually an email address or username and password, that allow access to databases such as MySQL and PostgreSQL
- Docker Hub passwords, which can lead to account takeover if MFA (multi-factor authentication) is not enabled
The following graph shows the breakdown:
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. It’s safe to assume that at least 10-20% of them are live. Especially those found in recent newspapers. We simulated in our cloud lab a lateral movement scenario based on this initial access scenario:
1. Extracting a GitHub OAuth token via exposed Travis CI logs.
2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.
3. Attempts to move laterally with AWS access keys in the AWS S3 bucket service.
4. Discovery of cloud storage objects through bucket enumeration.
5. Data exfiltration from target’s S3 to attacker’s S3.
Representatives for Travis CI did not immediately respond to an email seeking comment on the post. Given the recurring nature of this exposure, developers should periodically proactively rotate access tokens and other credentials. They should also regularly scan their code artifacts to make sure they don’t contain identifying information. Aqua Security has additional advice in its post.