Thousands of authentication tokens and other security-sensitive secrets are being leaked by a service that assists open source developers in writing and testing software. According to a new report by security experts, many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories.
The availability of Travis CI’s third-party developer credentials has been an ongoing issue since at least 2015. HackerOne, a security vulnerability service, reported at the time that a Github account it used had been compromised after the service exposed an access token for one of the HackerOne developers. A similar leak surfaced again in 2019 and again last year.
Anyone who has access to the tokens can read or modify the code stored in repositories that distribute an uncountable number of ongoing software applications and code libraries. The ability to gain unauthorised access to such projects opens the door to supply chain attacks, which involve threat actors tampering with malware before it is distributed to users. The attackers can use their ability to modify the app to target a large number of projects that rely on the app in production servers.
Despite the fact that this is a known security risk, researchers from the Aqua Security firm’s Nautilus team report that leaks have continued. A series of two batches of data accessed by the researchers using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 to May 2022, respectively. The researchers discovered 73,000 tokens, secrets, and various credentials after sampling a small percentage of the data.
“These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub,” Aqua Security said. “Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately.”
Travis CI is a provider of continuous integration, which is becoming more popular. It automates the process of building and testing each code change that has been committed, and is often abbreviated as CI. The code is built, tested, and merged into a shared repository after each change. Given the level of access required for CI to function properly, environments typically store access tokens and other secrets that grant privileged access to sensitive parts of the cloud account. Aqua Security discovered access tokens from a wide range of repositories, including Github, AWS, and Docker.