Travis CI API made headlines (again) for a vulnerability that exposes sensitive data of thousands of developers – allowing anyone to access historical clear-text logs, according to Aqua, a cybersecurity firm. This issue received media attention in both 2015 and 2019 but resurfaced recently with the news that 70 million free-tier user logs are still available to the public.
“This issue was reported to Travis CI in the past and was published in the media in 2015 and 2019, but it has never been fully fixed,” Aqua said.
In the wrong hands, these logs – containing credentials, secrets and tokens – can be used to attack cloud services such as GitHub, Docker Hub and AWS.
What can happen when you fail to secure a continuous integration API
Travis CI made a statement saying the vulnerability exposing thousands of secrets was “by design.” Nevertheless, the cloud vendors involved promptly rotated their keys, double checked the findings, and even offered bounty rewards to the finders of the issue.
This begs the question, what problems can result from exposed logs within APIs? In whose hands does API security rest? And what can be done to secure both API and users from similar scenarios in the future?
To understand the scope of the problem, let’s first review what a continuous integration (CI) service is.
“These days, continuous integration (CI) and continuous delivery/deployment (CD) are a major part of modern development and cloud native application pipelines. For every change to an application, the code is regularly built, tested, and merged to a shared repository.”
--Aqua blog, June 13, 2022
What is a continuous integration service?
Like many CI services, the Travis CI API is used by developers to test apps. It is a way of sandboxing potential features before releasing them into the wild. CI environments allow developers to build and test code, then save it to a shared repository where other developers can access the changes. A valuable part of the CI/CD loop used in cloud native pipelines, CI environments offer “straightforward set-up configuration steps and [pretty] interfaces for quickly testing and building code continuously.”
Due to the proprietary and sensitive nature of these activities, CI services often store secrets pertinent to software creation. These can be used to access different parts of the cloud or development pipeline. Access tokens with high privileges, for example, can be used to read, write, administrate, and alter code within the apps being designed, and are the gatekeepers to more confidential information.
Risks resulting from exposed APIs
Now that we understand the architecture and the value it holds to developers, let’s examine the findings of this most recent CI API exposure. Researchers uncovered:
- 770 million exposed logs between 2013 and 2022
- 73,000 tokens within a sample size of 8 million logs
- Secrets exposed from DockerHub, GitHub and AWS
- Passwords and tokens saved in cleartext
- 20 unmasked variations of “github_token” exposed (github_auth, github_api_token, etc.)
They also found 42 valid logs for every 100 API calls. From these logs, secrets were extracted, such as:
- GitHub access tokens that could allow privileged access to code repositories
- Credentials to databases such as MySQL and PostgreSQL
- Docker Hub passwords
In investigating attack scenarios resulting from this exposed data, researchers discovered potential threats including lateral cloud movement* and source code theft.
The sensitive information trusted to APIs, especially continuous integration APIs, is just as valuable to attackers as it is to developers, and maybe more so. Travis CI itself implements measures to enhance security. However, as we’ve seen above, security measures fail when you neglect to protect CI-hosted data at the API level.
Security for APIs and API users
Security is the responsibility of the entity that owns the data. To effectively protect your proprietary source code, secrets and assets, research, use CI service providers that adhere to the following security principles:
- A rotation policy for keys, certificates, and tokens
- Principle of least-privilege in keys and tokens
- Never print secrets or credentials in logs
- Scan artifacts to discover and delete secrets
- Use a secure API service with best-in-class security practices
The Venafi API allowsyou to automate and customize your deployment to integrate with HashiCorp Vault for Certificates, Hashicorp Terraform for Certificates, Jetstack cert-manager and AWS. And, the Venafi as a Service REST API provides full certificate visibility, next-gen code signing, continuous discovery and monitoring and SSH protection.
- Automate Policy Checks for Your CI/CD: OpenCredo Secure Software Pipeline Verifier
- Accelerate DevOps by Offering a Certificate Service for CI/CD Pipelines
- Oh, How I Love My Hashi (Vault)
- Automate Your Certificate Lifecycle to Prevent DevOps Outages!
*According to Aqua, lateral movement attacks simulated in its cloud lab would include:
- Extraction of a GitHub OAuth token via exposed Travis CI logs
- Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token
- Lateral movement attempts with the AWS access keys in the AWS S3 bucket service
- Cloud storage object discovery via bucket enumeration
- Data exfiltration from the target’s S3 to attacker’s S3