exposed-travis-ci-api-leaves-all-free-tier-users-open-to-attack

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Exposed Travis CI API Leaves All Free-Tier Users Open to Attack

A security flaw in the Travis CI API has left tens of thousands of developers’ user tokens and other sensitive information exposed to attack, as threat actors could use the credentials to wage attacks in cloud services, including GitHub, Amazon Web Services (AWS), and Docker Hub.

The issue was first reported as far back as 2015, but the vulnerability in the API can still be exploited to launch attacks laterally across the cloud, according to a new blog post from Team Nautilus, which notes that all free-tier users of Travis CI are at risk.

The Travis CI API is commonly used by developers to test apps, and during their research the analysts were able to access more than 770 million cleartext logs, chock-full of the kind of sensitive data that threat actors could leverage to move laterally across cloud services for malicious activity. 

“We disclosed our findings to Travis which responded that this issue is ‘by design’, so all the secrets are currently available,” according to the post on the Travis CI API vulnerability. “All Travis CI free tier users are potentially exposed, so we recommend rotating your keys immediately.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related News

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials…
8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Java is one of the most well-known programming languages and software platforms that is used on countless devices such as…
360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

Previously we covered the news of a database containing 487 million up-to-date WhatsApp user records from 84 countries being sold…