Researchers at Aqua Security discovered that “tens of thousands of user tokens” are exposed through the Travis CI API allowing access to more than 770 million logs containing credentials for as GitHub, AWS, and Docker Hub.
- Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub.
- Based on the Travis CI API manual, we discovered that a valid API call to fetch a clear-text log will require a log number. In this case, we can easily apply an enumeration script to fetch all the available logs between zero and infinity.
Researchers determined that a total of about 770 million logs were exposed. In a random sampling of 20,0000 logs, after cleaning up the data, they discovered about 73,000 tokens, secrets, and various credentials associated with cloud services like GitHub, AWS, and Docker Hub.”
It is a false assumption that code and agents we implement in our enterprises are safe from malware. Colonial Pipeline and other hacks have shown us that this is a fallacy. Just as zero trust has shown us that all network and session traffic cannot be trusted – so must we feel about sources. The same guards of re-authenticate, re-authorize that we do for ZTN – we must conduct for our software. We have to have a resilient enterprise that practices rigid identity governance which can stop the threat actor when they begin their kill chain of attacks.
Static secrets like user tokens and keys should never be as easy to extract as the researchers at Aqua Security found them to be in this case – clearly there are authentication/authorization access controls which could have been added to make it much more difficult. However, it should also be remembered that another approach to securing static secrets is to ensure that they are not useful on their own, ie they only function when presented with an independently generated contextual second factor. Simplistically speaking, if a data lake of static secrets are not useful, bad actors won’t bother to steal them.