Credentials for Thousands of Open Source Projects Free to Take With You – Again!


Credentials for Thousands of Open Source Projects Free to Take With You - Again!

Getty Images

A service that helps open-source developers write and test software leaks thousands of authentication tokens and other security-related secrets. Many of these leaks allow hackers to access developers’ private accounts on Github, Docker, AWS and other code repositories, security researchers said in a new report.

The availability of Travis CI’s third-party developer credentials has been an ongoing issue since at least 2015. At the time, vulnerability service HackerOne reported that a Github account it was using had been compromised when the service exposed an access token to one of the HackerOne developers. A similar leak occurred in 2019 and again last year.

The tokens give anyone with access the ability to read or modify the code stored in repositories that distribute a untold number of running software applications and code libraries. The possibility of gaining unauthorized access to such projects opens the possibility of supply chain attacks, where threat actors manipulate malware before it is distributed to users. The attackers can use their ability to manipulate the app to attack a large number of projects that rely on the app on production servers.

Although this is a known security issue, the leaks continue, according to researchers from Aqua Security’s Nautilus team. A series of two batches of data, which the researchers accessed through the Travis CI programming interface, yielded 4.28 million and 770 million logs from 2013 to May 2022. and various credentials.

“These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS and Docker Hub,” said Aqua Security. “Attackers can use this sensitive data to initiate massive cyber attacks and move sideways in the cloud. Anyone who has ever used Travis CI is potentially at risk, so we recommend rotating your keys immediately.”

Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each committed code change. For each change, the code is regularly built, tested, and merged into a common repository. Given the level of access that CI needs to function properly, the environments typically store access tokens and other secrets that provide privileged access to sensitive parts within the cloud account.

Access tokens found by Aqua Security affected private accounts from a variety of repositories, including Github, AWS, and Docker.

Aqua Security

Examples of exposed access tokens are:

  • Access tokens on GitHub, which may allow privileged access to code repositories
  • AWS Access Key
  • Sets of credentials, typically an email or username and password, that allow access to databases such as MySQL and PostgreSQL
  • Docker Hub passwords that can lead to account takeover if MFA (Multi-Factor Authentication) is not enabled

The graphic below shows the breakdown:

Aqua Security

Aqua Security researchers added:

We found thousands of GitHub OAuth tokens. It can be assumed that at least 10-20% of them are alive. Especially those found in recent logs. In our cloud lab, we simulated a lateral movement scenario based on this initial access scenario:

1. Extraction of a GitHub OAuth token via exposed Travis CI protocols.

2. Discovery of sensitive data (i.e. AWS access keys) in private code repositories using the exposed token.

3. Lateral movement attempts using the AWS access keys in the AWS S3 bucket service.

4. Discovery of cloud storage objects via bucket enumeration.

5. Data exfiltration from the target’s S3 to the attacker’s S3.

Aqua Security

Travis CI representatives did not immediately respond to an email requesting comment on this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials on a regular basis. You should also periodically scan their code artifacts to ensure they do not contain credentials. Aqua Security has additional advice in its post.

You May Also Like