View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 15, 2022updated 05 Aug 2022 8:01am

Travis CI vulnerability leaves sensitive credentials of open source projects exposed

The flaw exposed this week shines a light on the platform's recurring security problems.

By Claudia Glover

A flaw in Travis CI continuous integration software has left sensitive information from thousands of open source projects exposed online. It is not the first time the software has suffered security issues of this nature.

Travis is a continuous integration (CI) tool that allows software developers to automate the testing and integration of new code into open source projects. Researchers at cloud security vendor Aqua have discovered that, through one of the software’s APIs, it is possible to access up to 770 million ‘logs’ from users of the Travis CI free tier, even those who have deleted their accounts.

Software developers use continuous integration tools to insert new code into their programmes. (Photo by alvarez/iStock)

From these logs attackers can extract user authentication tokens used to log in to cloud services like GitHub, Docker Hub and AWS, stored in clear text format. From a sample of eight million of the logs, the researchers found more than 70,000 sensitive tokens and other confidential credentials. “All Travis CI free tier users are potentially exposed,” says the Aqua team.

Data from 2019 shows Travis CI was used in more than 932,977 open source projects by more than 600,000 separate users.

Such access to high-level user credentials presents a risk to the software developers who use the product and the customers of those developers. “If an attacker were to obtain these credentials there is nothing stopping them from introducing malicious code into libraries or the build process,” explains Bharat Mistry, technical director for UK and Ireland at security Trend Micro. “This flaw could absolutely open the door to digital supply chain attacks.”

Supply chain attacks can be devastating. The Solar Winds attack in 2020 allowed state-sponsored Russian hackers access to the systems of thousands of companies and government organisations. The Kaseya supply chain attack in 2021 allowed criminals to encrypt the data of over 1,500 companies, holding them all to ransom simultaneously. 

Travis CI vulnerability: advice for users

It seems unlikely the developers of Travis will take any action to resolve the vulnerability. “It appears that the company is presenting this as a feature of the platform,” Mistry says. Indeed, when researchers alerted the company to the problem, it said the storing of the credentials in clear text format was “by design”.

The company does provide guidance for securing data on its website, which includes a list of suggestions for making the data of free-tier users more secure.

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

Unless Travis completely redesigns its system, the risks will remain, says Grant Wyatt, COO at web security firm MIRACL. Anyone concerned by this would be advised to “switch to using a competitive product like Jenkins,” he argues. Indeed, anecdotal evidence suggests most developers prefer other tools, with only 40 developers from a poll of 2,500 users of the Everything DevOps Reddit channel stating they used Travis CI, with Jenkins and GitLab CI the most popular options.

Travis CI has recurring security problems

Travis CI has suffered similar vulnerabilities in the past, most recently last year. It apparently failed to spot a flaw that led public open source code repositories using the platform to have their sensitive keys, credentials, and tokens left open to potential theft.

The company “quietly fixed” the problem, much to the chagrin of some users:

Similar types of risks were also spotted on the platform in 2019.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Supply chain attacks on open source software grew 650% in 2021

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU