For a second time in less than a year, the Travis CI platform for software development and testing has exposed user data containing authentication tokens that could give access to developers’ accounts on GitHub, Amazon Web Services, and Docker Hub.
Researchers at Aqua Security discovered that “tens of thousands of user tokens” are exposed through the Travis CI API that offer access to more than 770 million logs with various types of credentials belonging to free tier users.
Enumerating log numbers
While investigating potential security risks from using continuous integration (CI) services, the researchers focused on the Travis platform and discovered an API call that allowed fetching logs in clear text when using the right log number.
The researchers found that Travis CI did not enforce sufficient protections for the log numbers and were able to run an enumeration script to retrieve the strings “from zero to infinity.”
“This is not easy with other vendors because they require mentioning in the URL an application ID or customer ID (or both), which makes it difficult to run enumeration over the logs” – Aqua Security
The researchers found a second API call in a documented API system that allowed access to another set of clear text logs that were previously unavailable.
Using the two methods, Aqua Security researchers say that they were able to find logs dating between January 2013 and May 2022. They determined that the range of valid logs was between 4.2 million and 774 million.
After analyzing a sample of 8 million logs, the researchers found around 73,000 sensitive strings in the form of tokens, secrets, and various credentials associated with cloud services like GitHub, Amazon Web Services (AWS), and Docker Hub.
Aqua Security notes that some of the data in historic logs was obfuscated. However, the effort was insufficient, the researchers say, since Travis CI allows developers to use various naming conventions for sensitive information.
“Nevertheless, there are many conventions to print secrets, passwords, and tokens in logs, and most of them remained in clear text. For instance, we found that in many cases “github_token” was masked and didn’t disclose any secrets. However, we found about 20 variations of this token that weren’t masked by Travis CI” – Aqua Security
Aqua Security’s shared their findings with Travis CI hoping for a fix. However, the CI service replied that the issue was “by design” and left the data exposed.
Exposing user logs seems to be a recurrent problem for Travis CI as reports about this type of risk have been published in 2015, 2019 and in 2021.