CI services expose company secrets including Github access tokens

• Researchers have re-discovered that CI services still contain company secrets inside its build logs.
• The most widely used CI service is Travis CI due to its GitHub integration, while Circle CI and GitLab CI are a few popular other CI services.

Researchers scanned CI build logs for the past few months and found leaks at Grammarly, Discourse, a public cryptocurrency program, and an organization.

The big picture

Researchers noted that many Continuous Integration (CI) services still contain company secrets hidden inside its build logs.

CI services are used to detect bugs in the coding process at a very early stage. These services keep logs of the project and interactions with various remote servers and APIs, passwords, SSH keys, or API tokens are recorded in the CI logs.

The most widely used CI service is Travis CI due to its GitHub integration, while Circle CI and GitLab CI are a few popular other CI services.

A few years back, researchers identified that Travis CI logs expose API keys, Github access tokens, and other secrets. Attackers launched attacks against Travis CI to search build logs in bulk and extract some of the secrets. Since then, Travis CI has changed its processes and has been running various automated scripts to detect patterns that appear to look like passwords or API tokens and replace them with the word "[secure]" inside the build logs.

Why it matters?

Three years later, researchers have re-discovered that CI services still contain company secrets inside its build logs. Researchers have urged the CI services to review its CI build logs for any sensitive tokens that may leak through the basic pattern filtering procedures.

Researchers noted that attackers could also take another avenue and search CI build logs for terms like ‘is not in the npm registry,’ ‘No matching distribution,’ and ‘Could not find a valid gem,’ which are error messages when a library has been removed from the npm, PyPI, or RubyGems package repositories.

Searching for such terms could allow an attacker to learn the names of dead packages that are still used in active projects. Attackers can then re-register those packages and use the rogue library for backdooring legitimate projects.

“This research has helped us get a better understanding of the large attack surface that continuous-integration services present - almost hidden in plain sight,” researchers said, ZDNet reported.