Credentials for thousands of open source projects free for the takingagain! – Ars Technica
Getty Images
A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.
The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.
Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.
"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."
Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.
The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.
Aqua Security
Examples of access tokens that were exposed include:
The following graph shows the breakdown:
Aqua Security
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:
1. Extraction of a GitHub OAuth token via exposed Travis CI logs.
2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.
3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.
4. Cloud storage object discovery via bucket enumeration.
5. Data exfiltration from the targets S3 to attackers S3.
Aqua Security
Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.
Go here to see the original:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica
- Hyundai, LAPD to host event for vehicle owners to receive crucial software update - KTLA Los Angeles - May 20th, 2024 [May 20th, 2024]
- Best free text-to-speech software of 2024 - TechRadar - May 20th, 2024 [May 20th, 2024]
- Best free word processor of 2024 - TechRadar - May 20th, 2024 [May 20th, 2024]
- Best free antivirus in 2024 - TechRadar - May 20th, 2024 [May 20th, 2024]
- 'Open-Shell Menu' is an open source software that returns the Windows start menu to its previous appearance for free - GIGAZINE - May 20th, 2024 [May 20th, 2024]
- Avast Free Antivirus: Testing its features and learning about the six layers of protection - TechSpot - May 20th, 2024 [May 20th, 2024]
- The best Android antivirus apps in 2024 - Tom's Guide - May 3rd, 2024 [May 3rd, 2024]
- Best photo editing software in 2024 - Tom's Guide - May 3rd, 2024 [May 3rd, 2024]
- BYD recalls 16666 Seagull EVs in China due to software issue that may prevent reverse camera image from displaying - CnEVPost - May 3rd, 2024 [May 3rd, 2024]
- KIA installs free anti-theft software this weekend in St. Louis area - KSDK.com - April 28th, 2024 [April 28th, 2024]
- KIA installing free anti-theft software to impacted car owners - WHAS11.com - April 28th, 2024 [April 28th, 2024]
- Free Windows Apps and Software for PC Gamers to Take Gaming to the Next Level - Gizchina.com - April 28th, 2024 [April 28th, 2024]
- Best survey tool of 2024 - TechRadar - April 28th, 2024 [April 28th, 2024]
- Grand Rapids Police and Hyundai Offer Free Anti-Theft Software Upgrades Amid Vehicle Theft Wave - Hoodline - April 26th, 2024 [April 26th, 2024]
- Blueprint Software Systems Announces Free Trial for RPA Analytics Solution - PR Web - April 26th, 2024 [April 26th, 2024]
- Houston Police, Hyundai to host free anti-theft security event for vehicle owners - Houston Public Media - April 26th, 2024 [April 26th, 2024]
- Descartes Systems buys Aerospace Software Developments Winnipeg Free Press - Winnipeg Free Press - April 26th, 2024 [April 26th, 2024]
- Kia offers free software upgrades in Cleveland this weekend - WKYC.com - April 20th, 2024 [April 20th, 2024]
- Free software lets you design and test warp drives with real physics - New Atlas - April 20th, 2024 [April 20th, 2024]
- Clinic offering free Kia software updates continuing through weekend - Yahoo! Voices - April 20th, 2024 [April 20th, 2024]
- Hyundai providing free anti-theft software installation this weekend at Greenspoint Mall - KHOU.com - April 20th, 2024 [April 20th, 2024]
- Kia offers free software upgrades in Cleveland this weekend: How to get yours - WKYC.com - April 20th, 2024 [April 20th, 2024]
- Hyundai providing free anti-theft software installion in Houston - KHOU.com - April 20th, 2024 [April 20th, 2024]
- Kia gives free software upgrades this weekend at the Cleveland Aquarium - WKYC.com - April 20th, 2024 [April 20th, 2024]
- Ubuntu Studio in new LTS beta; still the easiest creative Linux distro - CDM Create Digital Music - Create Digital Music - April 20th, 2024 [April 20th, 2024]
- Free anti-theft software upgrades available for Central Texas Hyundai drivers - KEYE TV CBS Austin - March 15th, 2024 [March 15th, 2024]
- How to get free help with income tax prep, or free software | Business | postandcourier.com - The Post and Courier - February 23rd, 2024 [February 23rd, 2024]
- Best encryption software of 2024 - TechRadar - February 23rd, 2024 [February 23rd, 2024]
- The best free VPN in 2024 - TechRadar - February 23rd, 2024 [February 23rd, 2024]
- AI imaging software generates a gallery of stereotypes, says Univ. of ... - GeekWire - November 28th, 2023 [November 28th, 2023]
- Roku's free update that makes it easier to find new shows and ... - TechRadar - November 28th, 2023 [November 28th, 2023]
- How To Find Alternatives To ChatGPT Forbes Advisor UK - Forbes - November 28th, 2023 [November 28th, 2023]
- How To Find Alternatives To ChatGPT Forbes Advisor Australia - Forbes - November 28th, 2023 [November 28th, 2023]
- Assassin's Creed Syndicate is now free to keep on Ubisoft Connect - OC3D - November 28th, 2023 [November 28th, 2023]
- Google Confirms Its Schedule for Disabling Third-Party Cookies in ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Tata Consultancy Services Ordered To Cough Up $210 Million In ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Meta Knowingly Collected Data on Pre-Teens, Unredacted ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- US, Britain, Other Countries Ink Agreement To Make AI 'Secure by ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Plex Users Fear New Feature Will Leak Porn Habits To Their ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- This free software converts drone videos into 2D maps in minutes! - DroneDJ - November 14th, 2023 [November 14th, 2023]
- How 'Hour of Code' Will Teach Students About Issues with AI - Slashdot - November 14th, 2023 [November 14th, 2023]
- Nothing is Bringing iMessage To Its Android Phone - Slashdot - November 14th, 2023 [November 14th, 2023]
- How To Build A WordPress Website In 9 Steps - Forbes - November 1st, 2023 [November 1st, 2023]
- Best Adobe Acrobat free alternatives - PC Guide - For The Latest PC Hardware & Tech News - November 1st, 2023 [November 1st, 2023]
- Monday.com Pricing and Plans 2023 Forbes Advisor Canada - Forbes - November 1st, 2023 [November 1st, 2023]
- PIRG Petitions Microsoft To Extend the Life of Windows 10 - Slashdot - November 1st, 2023 [November 1st, 2023]
- Kidsoft launches free calculator to simplify "Free Kindy" fee working - The Sector - November 1st, 2023 [November 1st, 2023]
- Drugmakers Are Set To Pay 23andMe Millions To Access Consumer ... - Slashdot - November 1st, 2023 [November 1st, 2023]
- Biden Signs Executive Order To Oversee and Invest in AI - Slashdot - November 1st, 2023 [November 1st, 2023]
- Meta's Next AI Attack on OpenAI: Free Code-Generating Software - The Information - August 18th, 2023 [August 18th, 2023]
- Millions of Samsung Galaxy S23 users just got a sweet free software ... - Yahoo Life - August 18th, 2023 [August 18th, 2023]
- Red Hat unlikely to be standard for enterprise Linux in future, says ... - iTWire - August 18th, 2023 [August 18th, 2023]
- Observing Basics: Astrophotography without a scope | Astronomy.com - Astronomy Magazine - August 18th, 2023 [August 18th, 2023]
- Chattanooga trucking and logistics companies are among the fastest ... - Chattanooga Times Free Press - August 18th, 2023 [August 18th, 2023]
- How Google is Planning To Beat OpenAI - Slashdot - August 18th, 2023 [August 18th, 2023]
- Tesla Says It Will Build New 'First of Its Kind' Data Centers - Slashdot - August 18th, 2023 [August 18th, 2023]
- Bank of Ireland IT Blunder Allows Customers To Withdraw More ... - Slashdot - August 18th, 2023 [August 18th, 2023]
- LK-99 Isn't a Superconductor - How Science Sleuths Solved the ... - Slashdot - August 18th, 2023 [August 18th, 2023]
- Mayor Bowser Announces Hyundai Anti-Theft Mobile Clinic | mayormb - Executive Office of the Mayor - July 30th, 2023 [July 30th, 2023]
- Responding to Data Breach at Contractor | CMS - CMS - July 30th, 2023 [July 30th, 2023]
- Five Auburn Alumni Receive Award for Work to Advance Tax Prep ... - CPAPracticeAdvisor.com - July 30th, 2023 [July 30th, 2023]
- Codeiums Varun Mohan and Jeff Wang on Unleashing the Power of ... - Nvidia - July 30th, 2023 [July 30th, 2023]
- Banner Health provides free concussion baseline testing for every ... - Queen Creek Sun Times - July 30th, 2023 [July 30th, 2023]
- Hugging Face, GitHub and More Unite To Defend Open Source in ... - Slashdot - July 30th, 2023 [July 30th, 2023]
- Lindsey Graham and Elizabeth Warren: When It Comes To Big Tech ... - Slashdot - July 30th, 2023 [July 30th, 2023]
- Best Dogecoin Casinos & Gambling Sites Ranked by DOGE Bonuses, Games, and More - The Hudson Reporter - July 2nd, 2023 [July 2nd, 2023]
- GCC Steering Committee Announces a Code of Conduct - Slashdot - July 2nd, 2023 [July 2nd, 2023]
- AI Predicts Diseases, Advancing Toward HIV Cure, Acquisitions ... - Bio-IT World - July 2nd, 2023 [July 2nd, 2023]
- WISeKey upgrades its WISeID digital identity and privacy platform - Help Net Security - July 2nd, 2023 [July 2nd, 2023]
- FBI Forms National Database To Track and Prevent 'Swatting' - Slashdot - July 2nd, 2023 [July 2nd, 2023]
- BYU Library offers free software classes - The Daily Universe - Universe.byu.edu - June 16th, 2023 [June 16th, 2023]
- Free Streaming Software Market to Witness an Outstanding Growth ... - The Bowman Extra - June 16th, 2023 [June 16th, 2023]
- How to build a virtual studio for free with free plugins and music ... - MusicRadar - June 16th, 2023 [June 16th, 2023]
- Battlebit Remastered Price - Is it free? - PC Guide - For The Latest PC Hardware & Tech News - June 16th, 2023 [June 16th, 2023]
- How to Install the iPadOS 17 Developer Beta on Your iPad for Free - MacRumors - June 16th, 2023 [June 16th, 2023]
- Human Resources Software: 4 HR Tools for Small Businesses - CO by the U.S. Chamber of Commerce - June 16th, 2023 [June 16th, 2023]
- YouTube Tells Open-Source Privacy Software 'Invidious' to Shut Down - Slashdot - June 16th, 2023 [June 16th, 2023]
- Arctic Could Be Sea Ice-Free in the Summer by the 2030s - Slashdot - June 16th, 2023 [June 16th, 2023]
- The IRS Will Test Out Its Own Free Tax Prep Software in 2024 - Money - May 20th, 2023 [May 20th, 2023]
- The IRS is working on software to allow taxpayers to file online - NPR - May 20th, 2023 [May 20th, 2023]