Travis CI stands for “Continuous Integration” but might just as well represent “Consciously Insecure” if, as security researchers claim, the company’s automation software exposes secrets by design.
Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.
In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.
There are evidently more than 770 million logs from free-tier Travis CI users available on demand via API calls. From these logs, the security researchers say, an attacker can extract tokens, secrets, and credentials used for interacting with cloud services like AWS, GitHub, and Docker Hub.
The Aqua Sec group says these tokens can be used to launch attacks or move laterally in the cloud to adjacent systems.
“We disclosed our findings to Travis CI, which responded that this issue is ‘by design’, so all the secrets are currently available,” the Aqua Sec researchers said. “All Travis CI free tier users are potentially exposed, so we recommend rotating your keys immediately.”
Aqua Sec’s team said it reported its findings to cloud service providers, whose customer tokens were exposed, and got a different response: “Almost all of them were alarmed and quickly responded,” they said.
GitHub saved plaintext passwords of npm users in log files, post mortem reveals
Some then instituted key rotation and others verified that at least half of the researchers’ findings are still valid, with some offering bug bounties for disclosure.
If this sounds familiar, it’s because this issue was reported to Travis CI in 2015 and in 2019 but appears not to have yet been fully addressed. It also came up last September.
Continuous Integration and Continuous Delivery/Deployment describe the practice of automating modern software development and cloud application deployment pipelines. This involves scripts that fetch secrets from environments – access tokens, API keys, and the like – in order to let building, testing, and code merging to occur. Secrets of this sort should not be leaked because they can be used to enable supply chain attacks and account hijacking.
The Travis CPI API supports fetching logs via clear-text and can be explored via enumeration – inputting a continuous range of numbers. The researchers also found an alternative API, using a different URL format, that provided access to other logs not previously accessible – possibly old deleted logs. ®
By switching the numeric references obtained by making API calls using these two formats, the researchers found they could fetch logs that weren’t previously available and could find secrets within them.
They tested their technique and found logs dating back a decade, with numeric identifiers ranging from about 4,280,000 through 774,807,924 – an upper bound for the number of logs potentially exposed.
Travis CI supports various security measures, like API call rate limiting, the obfuscation of tokens and secrets, secret rotation, and log deletion. Nonetheless, the Aqua Sec folk were still able to find clear text logs that contained sensitive data.
In a sample of 8 million requests, the researchers were able to obtain 73,000 tokens and credentials after the requisite data cleanup. These provided access to various cloud services like GitHub, Codecov, AWS, RabbitMQ, and others.
Coincidentally, GitHub in April issued a warning about the theft of OAuth tokens issued to Heroku and Travis CI. Travis CI responded by noting that relevant keys and tokens had been invalidated and not customer data was exposed.
Travis CI did not immediately respond to a request for comment. ®