CI build logs continue to expose company secrets

Team of researchers finds GitHub access tokens for various companies inside Travis CI build logs.

Python's rise asks questions of JavaScript's dominance Rise in queries driven by interest in Python and community of new programmers.

Security researchers are still finding secrets hidden deep inside continuous integration services, years after the issue become common knowledge.

Continuous integration (CI) is a coding methodology that requires programmers to integrate their in-dev code back into the main app at various intervals. This code is compiled/built back into a copy of the production system, and the code is tested for bugs using automated systems.

The purpose of CI is to find bugs as early as possible in the coding process and detect them before they're too deeply embedded into the rest of the project, at which point it may require extensive rewrites.

The most famous and widely used of all CI services is one called Travis CI, loved primarily due to its GitHub integration, but others also exist, such as Circle CI and GitLab CI.

Just like any web application, Travis CI keeps logs of everything that happens, and one of the most important of these are a project's build log, where Travis CI takes the in-dev code and integrates it into the main code repository in an operation called a "build."

During the build process, interactions with various remote servers and APIs is necessary, and passwords, SSH keys, or API tokens can be used -- and inherently remain recorded in Travis CI logs.

An old problem, new again

A few years back, security researchers realized that they could comb Travis CI logs for API keys and other secrets, and report these issues to companies to receive bug bounties.

Besides good-willed security researchers, threat actors also realized they could do the same, and some of them even launched attacks against Travis CI to search build logs in bulk and extract some of these secrets.

The Travis CI team has learned from these attacks and has changed its process ever since. For the past few years, the Travis CI service has been running various automated scripts that detect patterns that appear to look like passwords or API tokens, and replace them with the word "[secure]" inside the build logs.

But three years later, a team of seven bug bounty hunters has found that despite the best efforts and various countermeasures of several CI services, such as Travis CI, Circle CI, and GitLab CI, some build logs still contain secrets.

Using specially crafted tools, the researchers scanned CI build logs for the past few months to find new leaks of sensitive data.

They found leaks at Grammarly, Discourse, a public cryptocurrency program, and an organization they did not want to name.

"Overall, the most impactful findings were predominately GitHub access token leaks," researchers said. They now urge companies to review CI build logs for any sensitive tokens that may slip through Travis CI's basic pattern filtering procedures.

CI build logs hide apps still using dead packages

Furthermore, researchers also said that besides secret access tokens, an attacker can also take another avenue and search CI build logs for terms like "is not in the npm registry," "No matching distribution," and "Could not find a valid gem," which are error messages when a library has been removed from the npm, PyPI, or RubyGems package repositories.

Researchers said that attackers can use this trick to learn the names of dead packages that are still used in active projects.

They can then re-register those packages, and then use the rogue library for backdooring legitimate projects.

Researchers now hope that companies taking a closer look at their build logs may also find new avenues of attacks that they missed.

"This research has helped us get a better understanding of the large attack surface that continuous-integration services present - almost hidden in plain sight," the research team said.

More vulnerability reports: