For a second time in less than a year, the Travis CI platform for software development and testing has exposed user data containing authentication tokens that could give access to developers’ accounts on GitHub, Amazon Web Services, and Docker Hub.
Researchers at Aqua Security discovered that “tens of thousands of user tokens” are exposed through the Travis CI API that offer access to more than 770 million logs with various types of credentials belonging to free tier users.
Enumerating log numbers
While investigating potential security risks from using continuous integration (CI) services, the researchers focused on the Travis platform and discovered an API call that allowed fetching logs in clear text when using the right log number.
The researchers found that Travis CI did not enforce sufficient protections for the log numbers and were able to run an enumeration script to retrieve the strings “from zero to infinity.”
The researchers found a second API call in a documented API system that allowed access to another set of clear text logs that were previously unavailable.
Using the two methods, Aqua Security researchers say that they were able to find logs dating between January 2013 and May 2022. They determined that the range of valid logs was between 4.2 million and 774 million.
After analyzing a sample of 8 million logs, the researchers found around 73,000 sensitive strings in the form of tokens, secrets, and various credentials associated with cloud services like GitHub, Amazon Web Services (AWS), and Docker Hub.
Aqua Security notes that some of the data in historic logs was obfuscated. However, the effort was insufficient, the researchers say, since Travis CI allows developers to use various naming conventions for sensitive information.
Aqua Security’s shared their findings with Travis CI hoping for a fix. However, the CI service replied that the issue was “by design” and left the data exposed.
Exposing user logs seems to be a recurrent problem for Travis CI as reports about this type of risk have been published in 2015, 2019 and in 2021.