Getty Images
A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access developers’ private accounts on Github, Docker, AWS and other code repositories, security experts said in a new report.
The availability of Travis CI third-party developer credentials has been a constant issue since at least 2015. At the time, the security vulnerability service HackerOne reported that a Github account it was using had been compromised when the service exposed an access token for one of the HackerOne developers. A similar leak was re-introduced in 2019 and last year.
Witnesses give anyone with access the ability to read or modify stored code in repositories that distribute countless software applications and current code libraries. The possibility of gaining unauthorized access to these projects opens the possibility of attacks on the supply chain, in which the actors of the threat manipulate the malicious software before it is distributed to the users. Attackers can take advantage of their ability to manipulate the application to target a large number of application-dependent projects on production servers.
Although it is a known security issue, leaks have continued, according to researchers from Aqua Security’s Nautilus team. A series of two batches of data accessed through the Travis CI programming interface generated 4.28 million and 770 million records from 2013 to May 2022. After sampling a small percentage of the data, researchers they found what they believe to be 73,000 tokens, secrets, and various credentials.
“These passwords and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub,” said Aqua Security. “Attackers can use this sensitive data to launch massive cyberattacks and to move sideways in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend turning your keys immediately.”
Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of creating and testing every code change that has been committed. For each change, the code is regularly constructed, tested, and merged into a shared repository. Given the level of access that CI needs to function properly, environments typically store access tokens and other secrets that provide privileged access to sensitive parts within the cloud account.
Announcements
The access tokens found by Aqua Security involved private accounts from a wide range of repositories, including Github, AWS, and Docker.
Aqua Security
Examples of exposed access tokens include:
- GitHub access files that may allow privileged access to code repositories
- AWS access keys
- Credential sets, usually an email or username and password, that allow access to databases such as MySQL and PostgreSQL
- Docker Hub passwords, which can cause your account to take control if MFA (Multifactor Authentication) is not enabled
The following graph shows the breakdown:
Aqua Security
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. It is safe to assume that at least 10-20% of them are alive. Especially those found in recent records. We simulated a side-movement scenario in our cloud lab, which is based on this initial access scenario:
1. Extract an OAuth token from GitHub using the exposed Travis CI logs.
2. Discovery of sensitive data (i.e. AWS passwords) in private code repositories using the exposed testimony.
3. Attempts to move sideways with AWS access keys to AWS S3 cube service.
4. Discovering storage objects in the cloud by listing cubes.
5. Exfiltration of target S3 data to the attacker’s S3.
Aqua Security
Travis CI representatives did not immediately respond to an email requesting comments for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also scan their code artifacts regularly to make sure they do not contain credentials. Aqua Security has additional tips for posting.