Travis CI exposes free-tier users' secrets – new claim

API can be manipulated to reveal tokens in clear text log data

Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.

Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

There are evidently more than 770 million logs from free-tier Travis CI users available on demand via API calls. From these logs, the security researchers say, an attacker can extract tokens, secrets, and credentials used for interacting with cloud services like AWS, GitHub, and Docker Hub.

The Aqua Sec group says these tokens can be used to launch attacks or move laterally in the cloud to adjacent systems.

"We disclosed our findings to Travis CI, which responded that this issue is 'by design', so all the secrets are currently available," the Aqua Sec researchers said. "All Travis CI free tier users are potentially exposed, so we recommend rotating your keys immediately."

Aqua Sec's team said it reported its findings to cloud service providers, whose customer tokens were exposed, and got a different response: "Almost all of them were alarmed and quickly responded," they said.


GitHub saved plaintext passwords of npm users in log files, post mortem reveals


Some then instituted key rotation and others verified that at least half of the researchers' findings are still valid, with some offering bug bounties for disclosure.

If this sounds familiar, it's because this issue was reported to Travis CI in 2015 and in 2019 but appears not to have yet been fully addressed. It also came up last September.

Continuous Integration and Continuous Delivery/Deployment describe the practice of automating modern software development and cloud application deployment pipelines. This involves scripts that fetch secrets from environments – access tokens, API keys, and the like – in order to let building, testing, and code merging to occur. Secrets of this sort should not be leaked because they can be used to enable supply chain attacks and account hijacking.

The Travis CPI API supports fetching logs via clear-text and can be explored via enumeration – inputting a continuous range of numbers. The researchers also found an alternative API, using a different URL format, that provided access to other logs not previously accessible – possibly old deleted logs. ®

By switching the numeric references obtained by making API calls using these two formats, the researchers found they could fetch logs that weren't previously available and could find secrets within them.

They tested their technique and found logs dating back a decade, with numeric identifiers ranging from about 4,280,000 through 774,807,924 – an upper bound for the number of logs potentially exposed.

Travis CI supports various security measures, like API call rate limiting, the obfuscation of tokens and secrets, secret rotation, and log deletion. Nonetheless, the Aqua Sec folk were still able to find clear text logs that contained sensitive data.

In a sample of 8 million requests, the researchers were able to obtain 73,000 tokens and credentials after the requisite data cleanup. These provided access to various cloud services like GitHub, Codecov, AWS, RabbitMQ, and others.

Coincidentally, GitHub in April issued a warning about the theft of OAuth tokens issued to Heroku and Travis CI. Travis CI responded by noting that relevant keys and tokens had been invalidated and not customer data was exposed.

Travis CI did not immediately respond to a request for comment. ®

Other stories you might like

  • More than $100m in cryptocurrency stolen from blockchain biz
    'A humbling and unfortunate reminder' that monsters lurk under bridges

    Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.

    The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.

    "Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading

Biting the hand that feeds IT © 1998–2022