Categories: Social Media

Travis CI exposes free-tier users’ secrets – new claim • The Register | #youtubescams | #lovescams | #datingscams


Travis CI stands for “Continuous Integration” but might just as well represent “Consciously Insecure” if, as security researchers claim, the company’s automation software exposes secrets by design.

Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

There are evidently more than 770 million logs from free-tier Travis CI users available on demand via API calls. From these logs, the security researchers say, an attacker can extract tokens, secrets, and credentials used for interacting with cloud services like AWS, GitHub, and Docker Hub.

The Aqua Sec group says these tokens can be used to launch attacks or move laterally in the cloud to adjacent systems.

“We disclosed our findings to Travis CI, which responded that this issue is ‘by design’, so all the secrets are currently available,” the Aqua Sec researchers said. “All Travis CI free tier users are potentially exposed, so we recommend rotating your keys immediately.”

Aqua Sec’s team said it reported its findings to cloud service providers, whose customer tokens were exposed, and got a different response: “Almost all of them were alarmed and quickly responded,” they said.

GitHub saved plaintext passwords of npm users in log files, post mortem reveals

READ MORE

Some then instituted key rotation and others verified that at least half of the researchers’ findings are still valid, with some offering bug bounties for disclosure.

If this sounds familiar, it’s because this issue was reported to Travis CI in 2015 and in 2019 but appears not to have yet been fully addressed. It also came up last September.

Continuous Integration and Continuous Delivery/Deployment describe the practice of automating modern software development and cloud application deployment pipelines. This involves scripts that fetch secrets from environments – access tokens, API keys, and the like – in order to let building, testing, and code merging to occur. Secrets of this sort should not be leaked because they can be used to enable supply chain attacks and account hijacking.

The Travis CPI API supports fetching logs via clear-text and can be explored via enumeration – inputting a continuous range of numbers. The researchers also found an alternative API, using a different URL format, that provided access to other logs not previously accessible – possibly old deleted logs. ®

By switching the numeric references obtained by making API calls using these two formats, the researchers found they could fetch logs that weren’t previously available and could find secrets within them.

They tested their technique and found logs dating back a decade, with numeric identifiers ranging from about 4,280,000 through 774,807,924 – an upper bound for the number of logs potentially exposed.

Travis CI supports various security measures, like API call rate limiting, the obfuscation of tokens and secrets, secret rotation, and log deletion. Nonetheless, the Aqua Sec folk were still able to find clear text logs that contained sensitive data.

In a sample of 8 million requests, the researchers were able to obtain 73,000 tokens and credentials after the requisite data cleanup. These provided access to various cloud services like GitHub, Codecov, AWS, RabbitMQ, and others.

Coincidentally, GitHub in April issued a warning about the theft of OAuth tokens issued to Heroku and Travis CI. Travis CI responded by noting that relevant keys and tokens had been invalidated and not customer data was exposed.

Travis CI did not immediately respond to a request for comment. ®



Click Here For The Original Source.

. . . . . . .

admin

Share
Published by
admin

Recent Posts

Crypto Fraud on Rise Again, Here’s Why — TradingView News | #datingscams | #lovescams

Recently, SEC Chair Gary Gensler issued fresh warnings about cryptocurrencies amid Bitcoin's surge to a…

4 days ago

My aunt has fallen in love with a scammer | #ukscams | #datingscams | #european

Pay Dirt is Slate’s money advice column. Have a question? Send it to Athena here. (It’s anonymous!) Dear…

5 days ago

Hundreds rescued from love scam centre in the Philippines | #philippines | #philippinesscams | #lovescams

By Virma Simonette & Kelly Ngin Manila and Singapore14 March 2024Image source, Presidential Anti-Organized Crime…

5 days ago

Locals alerted of online dating scams | #daitngscams | #lovescams

Technology has disrupted many aspects of traditional life. When you are sitting at dinner and…

5 days ago

‘Ancestral spirits’ scam: Fake sangomas fleece victims of millions | #daitngscams | #lovescams

Reports of suicides, missing bodies, sexual kompromat and emptied bank accounts as fake sangomas con…

5 days ago

SA woman loses R1.6m to Ugandan lover | #daitngscams | #lovescams

A South African woman has been left with her head in her hands after she…

5 days ago