Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Programming Security

Researchers Claim Travis CI API Leaks 'Tens of Thousands' of User Tokens (arstechnica.com) 7

Ars Technica describes Travis CI as "a service that helps open source developers write and test software." They also wrote Monday that it's "leaking thousands of authentication tokens and other security-sensitive secrets.

"Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report." The availability of the third-party developer credentials from Travis CI has been an ongoing problem since at least 2015. At that time, security vulnerability service HackerOne reported that a Github account it used had been compromised when the service exposed an access token for one of the HackerOne developers. A similar leak presented itself again in 2019 and again last year.

The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.

Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.

"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."

This discussion has been archived. No new comments can be posted.

Researchers Claim Travis CI API Leaks 'Tens of Thousands' of User Tokens

Comments Filter:
  • by Anonymous Coward

    Just round them up and done. Can't be that many.

    Oh wait, you can't just round up the bogeymen. Well shoot, what now? Throw money at these "researchers" for some anti-"hacker" cure? Or maybe they could focus on the problem rather than invoking bogeymen.

    • Replace the word hacker with the word bank robber. "Banks everywhere are getting robbed by bank robbers". Then someone comes along and say that "bank robbers" is a bogeyman. It makes no sense whatsoever. The world is filled with bad hackers. There are likely tens of thousands of people who do this as a full-time occupation and hundreds of thousands who do it as a side hustle. Changing the name because you don't like the term isn't useful in any way, form or fashion. What point are you even trying to make? F
    • So the tokens are included in the encrypted https url? Where is the vulnerability? Or, are we saying that if your device or server is pwned then they can steal your keys? Are we saying we need 2FA on an unattended server? I guess you can have an app on your phone that you replicate your CI config to so it can vouch for every access.
      • The article is terrible, but from what I can tell, what they're saying are that people have Travis CI pipelines that inadvertently log credentials in some fashion. It's not very surprising, one of the more difficult aspects of CI is that you want to make the majority of the thing public, but have a few parts private, like tokens used to provide access.

        Think something like "echo $PASSWORD | ssh-add aws-key-file" to unlock an SSH key for the duration of the CI run. (I think that works? I haven't tried this sp

  • Continuous integration tools should all be considered insecure. Put them behind a firewall and only allow access through a VPN (or similar).

    If you leave Jenkins, or Gitlab, or whatever else on the open internet, it will get hacked.

You are always doing something marginal when the boss drops by your desk.

Working...