The Travis CI API leaks thousands of user tokens, allowing threat actors to easily access sensitive data on GitHub, AWS, and Docker Hub, according to a new report from Aqua Security's cybersecurity arm Team Nautilus.

Travis CI is a hosted continuous integration service that developers can use to build and test software projects hosted on GitHub and Bitbucket.

According to Team Nautilus, tens of thousands of user tokens are exposed through the API, allowing almost anyone free access to plain-text historical records. In these records, over 770 million of them (all belonging to free tier users) are tokens, secrets, and other credentials that hackers can use to move laterally in the cloud and launch various cyberattacks, such as chain-of-chain attacks. supply.

Alarmed service providers

Travis CI doesn't seem too concerned about the issue, as Nautilus said he disclosed his findings to the team and was told the issue was "by design."

"All users of the free tier of Travis CI are potentially at risk, so we recommend that you rotate your keys immediately," the researchers warned.

While Travis CI doesn't seem overly concerned about this, the service providers are. Almost everyone, says Nautilus, was alarmed and quickly responded with wide key turns. Some verified that at least half of the results were still valid.

The availability of these developer credentials has been an "ongoing issue since at least 2015," Ars Technica noted.

Seven years ago, HackerOne reported that its GitHub account was compromised after Travis CI exposed a token for one of its developers. A similar scenario occurred two more times afterward, once in 2019 and once in 2020, according to the publication.

Travis CI hasn't commented on the new findings, and since he previously said it was "by design," it's likely he won't. Developers are encouraged to proactively rotate access tokens and other credentials from time to time.

Via: Ars Technica (Opens in a new tab)

Share This