Credentials for thousands of open source projects free for the takingagain! – Ars Technica

Getty Images

A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.

The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.

Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.

"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."

Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.

The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.

Aqua Security

Examples of access tokens that were exposed include:

The following graph shows the breakdown:

Aqua Security

A representative for Code Climate, the service shown in the chart above, said the credentials found by Aqua Security don't provide hackers with unauthorized access. "These are Test coverage tokens, used to report test coverage to Code Climates Quality product," the representative said. "Unlike the other tokens mentioned in this post, these tokens are not considered secret, and cannot be used to access any data."

Aqua Security researchers added:

We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:

1. Extraction of a GitHub OAuth token via exposed Travis CI logs.

2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.

3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.

4. Cloud storage object discovery via bucket enumeration.

5. Data exfiltration from the targets S3 to attackers S3.

Aqua Security

Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.

Post updated to add comment from Code Climate.

Link:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica

Related Posts
This entry was posted in $1$s. Bookmark the permalink.