Credentials for thousands of open source projects free for the takingagain! – Ars Technica
Getty Images
A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.
The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.
Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.
"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."
Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.
The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.
Aqua Security
Examples of access tokens that were exposed include:
The following graph shows the breakdown:
Aqua Security
Aqua Security researchers added:
We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:
1. Extraction of a GitHub OAuth token via exposed Travis CI logs.
2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.
3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.
4. Cloud storage object discovery via bucket enumeration.
5. Data exfiltration from the targets S3 to attackers S3.
Aqua Security
Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.
Go here to see the original:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica
- Tesla fixes TPMS issue on nearly 700,000 vehicles with free software update - Drive Tesla Canada - December 25th, 2024 [December 25th, 2024]
- STRACKALINE TO OFFER EXCLUSIVE FREE SOFTWARE ACCESS AT THE 2025 PGA SHOW (BOOTH 2808) - The Golf Wire - December 18th, 2024 [December 18th, 2024]
- The Pixel 6 just got a free software upgrade that makes it my favorite budget Android phone - ZDNet - December 12th, 2024 [December 12th, 2024]
- Google just gave older Pixel phones a free software upgrade that you once could only wish for - ZDNet - December 8th, 2024 [December 8th, 2024]
- Free AI-Powered Software for Radiology Impressions Available from Scriptor Software - Imaging Technology News - December 8th, 2024 [December 8th, 2024]
- Maryland State Bar Members Now Get Free Trust Accounting Software in Deal with Smokeball - LawSites - December 5th, 2024 [December 5th, 2024]
- 7 free and open-source tools that rival the best creative software - XDA Developers - December 5th, 2024 [December 5th, 2024]
- Google Drive Full? Gift Yourself More Digital Storage This Holiday Season - CNET - November 30th, 2024 [November 30th, 2024]
- Tired of controller lock-in? Mixxx is a free DJ alternative; 2.4.2 out now - Create Digital Music - November 28th, 2024 [November 28th, 2024]
- 5 of the best free software for data recovery on Windows - XDA Developers - November 23rd, 2024 [November 23rd, 2024]
- AAVAA Hands-Free Accessibility Devices Now Compatible with Apple Software - The Hearing Review - November 17th, 2024 [November 17th, 2024]
- The best graphic design software - Creative Bloq - November 16th, 2024 [November 16th, 2024]
- VMware makes Workstation and Fusion free for everyone - BleepingComputer - November 16th, 2024 [November 16th, 2024]
- Trimble Expands Access to Advanced Construction Project Management Capabilities with Free Version of ProjectSight Software - StreetInsider.com - November 16th, 2024 [November 16th, 2024]
- The best free video editing software: how to cut clips without the cost - Creative Bloq - November 8th, 2024 [November 8th, 2024]
- Best Free Invoice And Billing Software Of 2024 - Forbes - November 8th, 2024 [November 8th, 2024]
- Amazfit just dropped a massive free software update and these new features are coming to your smartwatch - Tom's Guide - November 5th, 2024 [November 5th, 2024]
- The Free Software Foundation Finally Has AI / Machine Learning Apps On Their Radar - Phoronix - October 24th, 2024 [October 24th, 2024]
- Intuit asked us to delete part of this Decoder episode - The Verge - October 24th, 2024 [October 24th, 2024]
- "100% Free" GNU Boot Discovers Again They Have Been Shipping Non-Free Code - Phoronix - October 24th, 2024 [October 24th, 2024]
- The best antivirus software in 2024 for PC - TechRadar - October 24th, 2024 [October 24th, 2024]
- Stunning software giveaway: Save over $500 on tools for video editing, password recovery, and more its all free! - BetaNews - October 18th, 2024 [October 18th, 2024]
- PSA: Windows 10 has entered its final year of free support here's what you need to know - Windows Central - October 18th, 2024 [October 18th, 2024]
- Best video editing software in 2024: free and paid-for tools - Amateur Photographer - October 18th, 2024 [October 18th, 2024]
- Samsung TVs free update to One UI is already happening here are the changes coming to TVs - TechRadar - October 18th, 2024 [October 18th, 2024]
- The best open-source productivity software: Free tools to boost your workflow - XDA Developers - October 9th, 2024 [October 9th, 2024]
- Best tax software of 2024: File fast and accurately, plus get your maximum refund - CNBC - October 7th, 2024 [October 7th, 2024]
- The IRS is expanding its free tax filing service. Do you qualify? - The Washington Post - October 4th, 2024 [October 4th, 2024]
- Explore Top Free Software Alternatives to Popular Paid Programs for Budget-Friendly Solutions - Gizbot - October 4th, 2024 [October 4th, 2024]
- The best free video players in 2024: watch videos in any format - TechRadar - October 4th, 2024 [October 4th, 2024]
- Ford unveils BlueCruise 1.4: hands-free driving time doubled with new software update - CBT Automotive News - October 3rd, 2024 [October 3rd, 2024]
- Free Photo Viewer for Windows - Free download and software reviews - Download.com - October 3rd, 2024 [October 3rd, 2024]
- Top 10 Cool Free Windows Software (You'll Really Want) - MSN - October 3rd, 2024 [October 3rd, 2024]
- Best free YouTube to MP3 converter of 2024 - TechRadar - October 3rd, 2024 [October 3rd, 2024]
- The best free alternatives for pricey software: Adios, Office and Adobe - PCWorld - September 28th, 2024 [September 28th, 2024]
- Best Free Accounting Software for Small Businesses (Sponsored content from Jerry) - Varsity Online - September 21st, 2024 [September 21st, 2024]
- WhatsApp for Windows - Free download and software reviews - Download.com - September 21st, 2024 [September 21st, 2024]
- FDA approves some Apple AirPods to be used as hearing aids - NPR - September 16th, 2024 [September 16th, 2024]
- Q-Free releases new flexible, modular, and scalable tolling software solution - Highways News - September 16th, 2024 [September 16th, 2024]
- Clark Center for Geospatial Analytics to offer free version of TerrSet/IDRISI software starting Dec. 2 - Geo Week News - September 3rd, 2024 [September 3rd, 2024]
- Best video editing apps of 2024: Top tools for Android, iPhone, and iPad - TechRadar - September 3rd, 2024 [September 3rd, 2024]
- Samsung extends free software upgrades to millions of Smart TV owners are YOU one of them? - GB News - September 3rd, 2024 [September 3rd, 2024]
- This open-source software can double the volume of Windows laptops. For free - The Indian Express - August 22nd, 2024 [August 22nd, 2024]
- European Commission cuts funding support for Free Software projects - European Digital Rights (EDRi) - August 22nd, 2024 [August 22nd, 2024]
- Hyundai partners with TCSO to combat car thefts with free software patch - KEYE TV CBS Austin - August 22nd, 2024 [August 22nd, 2024]
- Free and Discounted Software for University of Oklahoma Students - The University of Oklahoma - August 16th, 2024 [August 16th, 2024]
- GitHub is the Best Place for Free and Open Source Software - How-To Geek - August 16th, 2024 [August 16th, 2024]
- The Usual Suspects Xenia, a free Waldorf microwave II/XT emulation using the DSP56300 plugin - Synth Anatomy - August 16th, 2024 [August 16th, 2024]
- Best free Adobe Illustrator alternatives of 2024 - TechRadar - June 24th, 2024 [June 24th, 2024]
- This is how to view the long-established free software 'CrystalDiskInfo' that shows the health status and SMART ... - GIGAZINE - June 24th, 2024 [June 24th, 2024]
- The best antivirus software 2024: Free and paid options - Tom's Guide - June 20th, 2024 [June 20th, 2024]
- Best free text-to-speech software of 2024 - TechRadar - May 20th, 2024 [May 20th, 2024]
- Best free word processor of 2024 - TechRadar - May 20th, 2024 [May 20th, 2024]
- Best free antivirus in 2024 - TechRadar - May 20th, 2024 [May 20th, 2024]
- 'Open-Shell Menu' is an open source software that returns the Windows start menu to its previous appearance for free - GIGAZINE - May 20th, 2024 [May 20th, 2024]
- Avast Free Antivirus: Testing its features and learning about the six layers of protection - TechSpot - May 20th, 2024 [May 20th, 2024]
- The best Android antivirus apps in 2024 - Tom's Guide - May 3rd, 2024 [May 3rd, 2024]
- Best photo editing software in 2024 - Tom's Guide - May 3rd, 2024 [May 3rd, 2024]
- BYD recalls 16666 Seagull EVs in China due to software issue that may prevent reverse camera image from displaying - CnEVPost - May 3rd, 2024 [May 3rd, 2024]
- KIA installs free anti-theft software this weekend in St. Louis area - KSDK.com - April 28th, 2024 [April 28th, 2024]
- Best survey tool of 2024 - TechRadar - April 28th, 2024 [April 28th, 2024]
- Grand Rapids Police and Hyundai Offer Free Anti-Theft Software Upgrades Amid Vehicle Theft Wave - Hoodline - April 26th, 2024 [April 26th, 2024]
- Blueprint Software Systems Announces Free Trial for RPA Analytics Solution - PR Web - April 26th, 2024 [April 26th, 2024]
- Houston Police, Hyundai to host free anti-theft security event for vehicle owners - Houston Public Media - April 26th, 2024 [April 26th, 2024]
- Hyundai providing free anti-theft software installation this weekend at Greenspoint Mall - KHOU.com - April 20th, 2024 [April 20th, 2024]
- Ubuntu Studio in new LTS beta; still the easiest creative Linux distro - CDM Create Digital Music - Create Digital Music - April 20th, 2024 [April 20th, 2024]
- How to get free help with income tax prep, or free software | Business | postandcourier.com - The Post and Courier - February 23rd, 2024 [February 23rd, 2024]
- Best encryption software of 2024 - TechRadar - February 23rd, 2024 [February 23rd, 2024]
- The best free VPN in 2024 - TechRadar - February 23rd, 2024 [February 23rd, 2024]
- AI imaging software generates a gallery of stereotypes, says Univ. of ... - GeekWire - November 28th, 2023 [November 28th, 2023]
- Roku's free update that makes it easier to find new shows and ... - TechRadar - November 28th, 2023 [November 28th, 2023]
- How To Find Alternatives To ChatGPT Forbes Advisor UK - Forbes - November 28th, 2023 [November 28th, 2023]
- How To Find Alternatives To ChatGPT Forbes Advisor Australia - Forbes - November 28th, 2023 [November 28th, 2023]
- Assassin's Creed Syndicate is now free to keep on Ubisoft Connect - OC3D - November 28th, 2023 [November 28th, 2023]
- Google Confirms Its Schedule for Disabling Third-Party Cookies in ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Tata Consultancy Services Ordered To Cough Up $210 Million In ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Meta Knowingly Collected Data on Pre-Teens, Unredacted ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- US, Britain, Other Countries Ink Agreement To Make AI 'Secure by ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Plex Users Fear New Feature Will Leak Porn Habits To Their ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- This free software converts drone videos into 2D maps in minutes! - DroneDJ - November 14th, 2023 [November 14th, 2023]