Unpatched Travis CI API Bug Exposes Thousands of Secret User Access Tokens

2022-06-15 20:13

An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks.

The issue, previously reported in 2015 and 2019, is rooted in the fact that the API permits access to historical logs in cleartext format, enabling a malicious party to even "Fetch the logs that were previously unavailable via the API.".

This is despite Travis CI's attempts to rate-limit the API and automatically filter out secure environment variables and tokens from build logs by displaying the string "[secure]" in their place.

One of the critical insights is that while "Github token" was obfuscated, 20 other variations of this token that followed a different naming convention - including github secret, gh token, github api key, and github secret - weren't masked by Travis CI. "Travis CI slowed down the velocity of API calls, which hinders the ability to query the API," the researchers said.

Travis CI, in response to the findings, has said the issue is "By design," necessitating that users follow best practices to avoid leaking secrets in build logs and periodically rotate tokens and secrets.

The findings are particularly significant in the wake of an April 2022 attack campaign that leveraged stolen OAuth user tokens issued to Heroku and Travis CI to escalate access to NPM infrastructure and clone select private repositories.

News URL

https://thehackernews.com/2022/06/unpatched-travis-ci-api-bug-exposes.html

#API #token