Aqua Security published The results of a study of confidential data in assembly logs, publicly available in the system of continuous integration
Travis ci. Researchers have found a way to extract 770 million logs of various projects. With test loading 8 million logs, about 73 thousand tokens, accounting data and access keys related to various popular services, including GitHub, AWS and Docker Hub, were identified in the data. The identified information allows you to compromise the infrastructure of many open projects, for example, a similar leak has recently led to hacking the infrastructure of the NPM.
The leak is associated with the possibility of access to the logs of users of the free Travis Ci service through a standard API (for example, the assembly log can be loaded through the URL species “https://api.travis-ci.org/v3/job/5248126/log. TXT “, where the number 5248126 is the LOGA identifier). To determine the range of possible log identifiers, another API was used (“https://api.travis-ci.org/logs/6976822”), which provides redirection to the loading of the log by the order number. The border bust was reduced without authentication to determine about 770 million logs created from 2013 to May 2022 during the assembly of projects falling under a free tariff plan.
Analysis of the test sample showed that in many cases, the logs of the open form reflects access parameters to repositories, API and storage facilities sufficient to turn to private repositories, amending the code or the cloud environment used in the infrastructure. For example, tokens were found in the logs for connecting to GITHUB repositories, passwords for placing assemblies in Docker Hub, access to the environment of Amazon Web Services (AWS), connection parameters to the MySQL and postgreSQL DBMS.
It is noteworthy that similar leaks through the API were recorded by researchers in 2015 and 2019. After past incidents, Travis added certain restrictions to difficulty in mass downloading and cut off access to the API, but these restrictions were bypassed. In addition, Travis made an attempt to clean the confidential data in the logs, but the data was cleaned only partially.
The leak mainly affected users of open projects, which Travis provides free access to its continuous integration service. During the audit conducted by some service providers, it was confirmed that about half of the tokens and keys allocated from the logs and keys remain workers. All users of the free Travis CI service are recommended to urgently change access keys, as well as Configure Removing assembly logs.