An unpatched security issue in the Travis CI API has left tens of thousands of developers’ user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks.
“More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub,” researchers from cloud security firm Aqua said in a Monday report.
Travis CI is a continuous integration service used to build and test software projects hosted on cloud repository platforms such as GitHub and Bitbucket.
The issue, previously reported in 2015 and 2019, is rooted in the fact that the API permits access to historical logs in cleartext format, enabling a malicious party to even “fetch the logs that were previously unavailable via the API.”
The logs go all the way back to January 2013 and up until May 2022, ranging from log numbers 4,280,000 to 774,807,924, which are used to retrieve a unique cleartext log through the API.
images from Hacker News