More than 770 million Travis CI API logs are potentially compromised. The free version of the popular CI/DE tool has a new vulnerability and allows access to tokens, user data and passwords.
Team Nautilus, Aqua Security's research unit specializing in the cloud-native technology stack, has discovered a new vulnerability in the free version of the Travis CI API, a popular CI/CD tool. The vulnerability easily accesses over tens of thousands of user credentials, tokens and other credentials from potentially up to 770 million free version user logs.
770 million logs visible
Travis CI access keys and credentials are linked to popular cloud service providers such as GitHub, AWS, Docker Hub and many others. Attackers can access historical plaintext logs through the vulnerability and use this sensitive data to launch massive cyberattacks and move sideways in the cloud. Some of these cloud service providers confirmed that up to 50 percent of the associated Travis CI tokens, user credentials and passwords shared with them were still valid and allowed access to their customers' accounts.
Known since 2015 - still problems
According to Travis CI, this issue was previously reported in 2015 and most recently in 2019 and subsequently resolved. But as the recent investigations by Team Nautilus clearly show, it's still a serious problem. Nautilus found that the valid range of logs is from 4.280.000 to 774.807.924, meaning there are potentially more than 770 million compromised logs. The oldest logs are from January 2013 and the newest from May 2022.
🔎 Percentage of compromised logs per cloud service provider (Image: Aqua Security).
Recommendation: Change the Travis CI API key immediately
This threat could lead to an increase in attacks on the software supply chain, an already critical issue. Although Team Nautilus also found potential access to restricted logs, Travis has no further plans at this time. Therefore, Nautilus recommends changing all Travis CI API keys immediately. Aqua Security has communicated the findings about the vulnerability to the respective service providers. Almost all of them were alarmed and reacted quickly. Some prompted extensive key exchanges. Aqua Security published a detailed blog article describing the vulnerability.
More at Aquasec.com
About Aqua Security Aqua Security is the largest pure cloud native security provider. Aqua gives its customers the freedom to innovate and accelerate their digital transformation. The Aqua platform provides prevention, detection, and response automation across the application lifecycle to secure the supply chain, cloud infrastructure, and ongoing workloads—regardless of where they are deployed.