A significant security vulnerability in the Travis CI API has put the user tokens of numerous developers at risk, potentially exposing them to severe cyber threats. This flaw enables malicious actors to compromise cloud infrastructures, perform unauthorized code modifications, and execute supply chain attacks.
Recent research from cloud security experts at Aqua reveals that over 770 million logs from free-tier users are accessible, making it alarmingly simple for attackers to extract sensitive tokens, secrets, and credentials linked to major cloud services, such as GitHub, AWS, and Docker Hub.
Travis CI is a well-known continuous integration service utilized to build and test software hosted on platforms like GitHub and Bitbucket. The vulnerability reported is not new; it dates back to earlier discoveries in 2015 and 2019, stemming from the API’s allowance for cleartext access to historical logs, a factor that facilitates unauthorized log retrieval.
The logs date back to January 2013, encompassing entries up to May 2022, which could be accessed through unique log retrieval identifiers. Analysis of a sample set of 20,000 logs uncovered an astonishing 73,000 tokens and access keys related to various cloud services.
Despite measures taken by Travis CI to implement rate limiting on the API and to mask sensitive information in build logs with placeholders, these efforts have proven insufficient. For instance, while the token “github_token” is obscured, other variations, such as “github_secret,” “gh_token,” and “github_api_key,” are not adequately protected, exposing users to elevated risks.
Researchers noted that while Travis CI has attempted to alleviate the exposure of information through rate-limiting practices, determined threat actors may still circumvent defenses. They stated that the combination of easy log retrieval, incomplete data masking, and ineffective rate limiting creates a critical vulnerability landscape.
In response to the alarming findings, Travis CI has indicated that the current security mechanism is “by design,” urging users to adopt best practices such as routinely rotating their tokens and being vigilant about safeguarding credentials in build logs.
This incident is particularly noteworthy considering a recent attack in April 2022, which exploited compromised GitHub OAuth tokens linked to both Travis CI and Heroku, allowing attackers to gain unauthorized access to the NPM infrastructure and clone select private repositories.
