On Tuesday, security researchers discovered a large-scale account breach of the popular continuous integration development tool Travis CI. More than 770 million Travis CI free version user log data was leaked in plaintext, including a large amount of sensitive confidential information (development tokens, cloud Service credentials, etc.), and tens of thousands of open source project development accounts on Github and Docker were affected, which indicates the importance of doing great in data backup and recovery.
Travis CI has not responded publicly to Aqua Security’s security report. Given the recurrence of this exposure, developers should proactively rotate access tokens and other credentials on a regular basis. Also, code artifacts should be scanned regularly to ensure they do not contain credentials. Meanwhile, data protection is becoming increasingly important.
The API of Travis CI (Continuous Integration Development Tool), a service that helps open source developers develop and test software, is exposing tens of thousands of identity tokens and other security-sensitive secrets, researchers from Aqua Security’s Nautilus team report. Many of these leaks allowed hackers to access developers’ private accounts on Github, Docker, AWS and other code repositories, security experts said in a new report.
Travis CI, an increasingly popular agile development tool known as continuous integration, often abbreviated to CI, automates the process of developing and testing code changes and has become an essential part of modern development and cloud-native application pipelines.
CI periodically builds, tests, and merges the code into a shared repository for every code change. CI environments often store a lot of sensitive information, such as access tokens, to automate access to the cloud or other components in the pipeline. In some cases, these access tokens are set to have high permissions to read, write, manage, etc. Theft of such access tokens can lead to data breaches, account takeovers, and even lateral movement across multiple cloud accounts.
Pandora’s Box of Massive Supply Chain Attacks Opened
Since at least 2015, Travis CI has continued to expose issues with the availability of third-party developer credentials. At the time, security breach service platform HackerOne reported that one of HackerOne’s Github accounts was compromised when Travis CI exposed one of its developers’ access tokens. Similar data breaches recur in 2019 and 2021.
The leaked developer access token can be used to (unauthorized) read or modify code stored in the repositories responsible for distributing a large number of ongoing software applications and code repositories. The ability to gain unauthorized access to such projects opens the door to large-scale supply chain attacks for attackers to launch upstream attacks against numerous projects that rely on applications in production servers by tampering with applications in repositories.
Researchers from Aqua Security’s Nautilus team report that despite this being a known security issue, the leak continues. The researchers used Travis CI API access to collect a large amount of plaintext log data from 2013 to May 2022 in two batches, with the number of 428 million and 770 million, respectively. The researchers sampled just a fraction of the data and found 73,000 tokens, secrets, and various certificates.
“These access keys and credentials are associated with popular cloud service providers, including GitHub, AWS, and Docker Hub,” Aqua Security said. “Attackers can use this sensitive data to launch large-scale cyberattacks and move laterally across the cloud. Anyone who has ever used Travis CI is at risk of being exposed, so we recommend rotating your keys immediately.”
A sample exposed access token (above) includes:
GitHub’s access token, which may allow privileged access to code repositories
AWS access key
A set of credentials, usually an email or username and password, to access databases such as MySQL and PostgreSQL
Docker Hub password, which can lead to account takeover if MFA (Multi-Factor Authentication) is not activated
Thousands of GitHub tokens leaked
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. It’s safe to assume that at least 10-20% of them are effectively available, especially those found in recent logs. We simulated a lateral movement scenario in the cloud lab based on this initial access scenario:
- Extract the GitHub OAuth token via the public Travis CI logs.
- Discover sensitive data (i.e. AWS access keys) in private code repositories using public tokens.
- Use the AWS access key in the AWS S3 bucket service for a lateral movement attempt.
- Discover cloud storage objects through enumeration.
- Data is leaked from the target’s S3 to the attacker’s S3.