A flaw in Travis CI continuous integration software exposed sensitive data from thousands of open source projects online. This is not the first time the software has encountered such security issues. Travis is a CI tool that allows software developers to automate the testing and integration of new code into open source projects. Aqua researchers discovered that it is possible to access up to 770 million ‘logs’ from Travis CI free tier users, even those who have deleted their accounts, via one of the software’s APIs.
Attackers can extract user authentication tokens used to log in to cloud services such as GitHub, Docker Hub, and AWS from these logs, which are stored in clear text format. The researchers discovered more than 70,000 sensitive tokens and other confidential credentials in a sample of eight million logs. “All Travis CI free tier users are potentially exposed,” the Aqua team says. According to 2019 data, Travis CI was used in over 932,977 open source projects by over 600,000 unique users.
Such access to high-level user credentials poses a risk to the software developers who use the product as well as their customers. “If an attacker obtains these credentials, there is nothing stopping them from introducing malicious code into libraries or the build process,” explains Bharat Mistry, security Trend Micro’s technical director for the UK and Ireland. “This flaw could undoubtedly lead to digital supply chain attacks.”
Supply chain attacks can be extremely damaging. In 2020, the Solar Winds attack gave state-sponsored Russian hackers access to the systems of thousands of businesses and government organisations. The Kaseya supply chain attack in 2021 allowed criminals to encrypt the data of over 1,500 companies at the same time, holding them all hostage.
