Researchers on Monday found that tens of thousands of user tokens are exposed via the open source Travis CI API — information bad actors can use to launch massive attacks and move laterally in the cloud.
In a blog post, Aqua’s Team Nautilus found more than 770 million logs of “free tier” users are available, from which threat actors can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS and Docker Hub.
Team Nautilus presented its findings to Travis which responded that this issue is "by design,” so all the secrets are currently available. All Travis CI free tier users are potentially exposed, so Team Nautilus recommends that users rotate their keys immediately.
The CI pipeline has become one of the most sensitive aspects of any code supply chain,” said Casey Bisson, head of product and developer enablement at BluBracket. Bisson said compromises in configuration or access can have far-reaching effects on everything connected to it.
Bisson said in this case, a flawed security model let unauthenticated anonymous users fetch data that should be restricted to authenticated users with permission to access the logs containing plaintext details of the keys, passwords, and other secrets. Bisson said the sensitive data should have been redacted before it's written to the log.
“From an engineering perspective, Travis CI's product works as designed,” Bisson said. “Unfortunately, the design is flawed, leading to this data breach.”
Scott Gerlach, co-founder and CSO at StackHawk, added that there’s a lot of discussion in the industry about shifting security into CI/CD. However, Gerlach said a necessary, and sometimes forgotten, predecessor is making sure that the pipeline itself has been secured.
“Leading teams know securing the pipeline ranks as a first step in software delivery, and that's why they rely on secrets management and secrets detection to protect themselves from exploits,” Gerlach. “Here’s a great opportunity for security teams to build bridges with DevOps teams and act as consultants for secure pipelines and infrastructure.”