During the coding process, Continuous Integration (CI) Services are used to detect bugs. Additionally, CI logs are created and store APIs, passwords, SSH keys, or API tokens. Some of the most widely used platforms are Circle CI and GitLab CI, while the most popular is Travis CI because of its compatibility with GitHub. While it has been known for a few years that Travis CI logs were heavily targeted because of the information they stored, it seems as if attackers could still be able to access that sensitive data. Since the heavy flow of attacks against Travis CI, automated scripts have been used to help recognize patterns which may look like API tokens and or passwords and place the word “secure” inside the build logs. Although this has helped make things a little more secure the CI services are still full of company secrets. Attackers may now use the method of searching the build logs with phrases like “is not in the npm registry,” “No matching distribution,” and “Could not find a valid gem.” Even though these are error messages for libraries that have been taken down from npm, PyPI, and RubyGem package repositories, they could prove to be useful to attackers. These dead packages could still be used in new projects and then if they are re-registered by the attackers, they can use them as backdoors. Continuous Integration provides a large-scale attack platform and attackers will continue to take advantage of it as long as it remains easily accessible.
Analyst Notes
It is recommended that users protect their keys, credentials, and other company secrets. The easiest way to do this is to remove them from scripts, source code, and plain-text files. Access control throughout the entire toolchain should also be implemented. Users are also suggested to review all their logs often and make sure no changes have been made.
