Aqua Security’s Team Nautilus has found that tens of thousands of user tokens are exposed via the Travis CI API, allowing anyone to access historical clear-text logs.
According to Team Nautilus, more than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub. Attackers can use this sensitive data to launch massive cyberattacks and to move laterally in the cloud. The issue was reported to Travis CI in the past, published in 2015 and 2019, but it has never been fully fixed.
Aqua disclosed their findings to Travis, which responded that this issue is “by design,” so all the secrets are currently available. All Travis CI free tier users are potentially exposed, so they recommend rotating keys immediately.
According to Head of Product & Developer Enablement at BluBracket Casey Bisson, the CI pipeline is one of the most sensitive aspects of any code supply chain, and compromises in configuration or access can have far-reaching effects on everything connected to it.
“But, this goes beyond a configuration and access issue,” Bisson says. “In this case, a flawed security model allows unauthenticated anonymous users to fetch data that should be restricted to authenticated users with permission to access the logs containing plaintext details of the keys, passwords, and other secrets. Or, better yet, the sensitive data should be redacted before it’s written to the log.”
The research team also reported their findings to respective service providers, and almost all “were alarmed and quickly responded,” Team Nautilus says. Several initiated a wide key rotation, while others verified that at least 50% of the findings were still valid. Some vendors even offered Aqua Security’s team a bounty reward for disclosing the results.
Aqua’s Team Nautilus offers a few recommendations security leaders can follow to mitigate these risks and protect CI environments:
- Establish a rotation policy for keys, tokens, and other secrets.
- Apply the least-privilege principle to keys and tokens when applicable.
- Don’t print secrets, tokens, or credentials in logs.
- Regularly scan your artifacts for secrets.
- Use a cloud security posture management (CSPM) solution that indicates the optimal time to rotate keys.
- Scan your CI/CD environment with a supply chain security solution to find exposed secrets, tokens, and credentials and make sure that your account configuration is aligned with best practices.
For more information, please visit aquasec.com.