Another Top Developer Directory Has Been Hit By Hackers

Travis CI API leaks thousands of user tokens, allowing threat actors easy access to sensitive data in GitHub, AWS and Docker Hub, according to a new report from Aqua Security’s cybersecurity arm, Team Nautilus .

Travis CI is a hosted continuous integration service, which developers can use to build and test software projects hosted on GitHub and Bitbucket.

According to Team Nautilus, tens of thousands of user tokens are exposed through the API, allowing almost anyone free access to historical plain-text logs. In these logs, more than 770 million of them (all belonging to free-tier users) are tokens, secrets, and other credentials that hackers can use to move laterally in the cloud and launch various cyber attacks, such as supply chain attacks.

Service providers alarmed

Travis CI doesn’t seem overly concerned about the issue, as Nautilus said he disclosed his findings to the team and was told the problem was “by design”.

“All users of the free tier of Travis CI are potentially at risk, so we recommend that you rotate your keys immediately,” the researchers warned.

While Travis CI doesn’t seem too concerned about this, the service providers are. Almost all, Nautilus says, were alarmed, responding quickly with wide key turns. Some verified that at least half of the results were still valid.

The availability of these developer credentials has been an “ongoing issue since at least 2015”, Ars-Technica Noted.

Seven years ago, HackerOne reported that its GitHub account had been compromised after Travis CI exposed a token for one of its developers. A similar scenario happened two more times afterwards, once in 2019 and once in 2020, according to the publication.

Travis CI hasn’t commented on the new findings, and given that he previously said it was “by design,” it likely won’t. Developers are advised to proactively rotate access tokens and other credentials from time to time.

By: Ars Technica (opens in a new tab)

Comments are closed.