A flaw in Travis CI continuous integration software has left sensitive information from thousands of open source projects exposed online. It is not the first time the software has suffered security issues of this nature.
Travis is a continuous integration (CI) tool that allows software developers to automate the testing and integration of new code into open source projects. Researchers at cloud security vendor Aqua have discovered that, through one of the software’s APIs, it is possible to access up to 770 million ‘logs’ from users of the Travis CI free tier, even those who have deleted their accounts.
From these logs attackers can extract user authentication tokens used to log in to cloud services like GitHub, Docker Hub and AWS, stored in clear text format. From a sample of eight million of the logs, the researchers found more than 70,000 sensitive tokens and other confidential credentials. “All Travis CI free tier users are potentially exposed,” says the Aqua team.
Data from 2019 shows Travis CI was used in more than 932,977 open source projects by more than 600,000 separate users.
Such access to high-level user credentials presents a risk to the software developers who use the product and the customers of those developers. “If an attacker were to obtain these credentials there is nothing stopping them from introducing malicious code into libraries or the build process,” explains Bharat Mistry, technical director for UK and Ireland at security Trend Micro. “This flaw could absolutely open the door to digital supply chain attacks.”
Supply chain attacks can be devastating. The Solar Winds attack in 2020 allowed state-sponsored Russian hackers access to the systems of thousands of companies and government organisations. The Kaseya supply chain attack in 2021 allowed criminals to encrypt the data of over 1,500 companies, holding them all to ransom simultaneously.
Travis CI vulnerability: advice for users
It seems unlikely the developers of Travis will take any action to resolve the vulnerability. “It appears that the company is presenting this as a feature of the platform,” Mistry says. Indeed, when researchers alerted the company to the problem, it said the storing of the credentials in clear text format was “by design”.
The company does provide guidance for securing data on its website, which includes a list of suggestions for making the data of free-tier users more secure.
Unless Travis completely redesigns its system, the risks will remain, says Grant Wyatt, COO at web security firm MIRACL. Anyone concerned by this would be advised to “switch to using a competitive product like Jenkins,” he argues. Indeed, anecdotal evidence suggests most developers prefer other tools, with only 40 developers from a poll of 2,500 users of the Everything DevOps Reddit channel stating they used Travis CI, with Jenkins and GitLab CI the most popular options.
Travis CI has recurring security problems
Travis CI has suffered similar vulnerabilities in the past, most recently last year. It apparently failed to spot a flaw that led public open source code repositories using the platform to have their sensitive keys, credentials, and tokens left open to potential theft.
The company “quietly fixed” the problem, much to the chagrin of some users:
After 3 days of pressure from multiple projects, @travisci silently patched the issue on the 10th.— Péter Szilágyi (karalabe.eth) (@peter_szilagyi) September 14, 2021
No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen. 3/4
Similar types of risks were also spotted on the platform in 2019.