A leak in the Travis CI API reveals tens of thousands of developer credentials.

The Travis CI API is a popular testing tool for code on GitHub and Bitbucket. Developers use the API to fix programming errors. Researchers from Aqua Security found that the API reveals the access tokens of free users to anyone that asks.

Access tokens

Access tokens are packets of identification data used by apps and systems. Most major platforms exchange access tokens to identify users. Without access tokens, using a Google account to log in elsewhere wouldn’t be possible. Repositories such as GitHub and Bitbucket store access tokens to ensure that an application has quick access to the web apps and APIs it uses.

The Travis CI API is a popular code testing tool on GitHub and Bitbucket. Research by Aqua Security shows that a design flaw allows anyone to obtain the access tokens of Travis CI’s free users.

The free version of the Travis CI API maintains logs of the code scanned for users. The logs can be retrieved via an API call. The logs show the access tokens of users’ GitHub environments, including login credentials for Docker Hub and AWS. Tens of thousands of access tokens are up for grabs.

Worrying response

Aqua Security informed Travis CI of its find. According to Travis CI, the feature is part of the API’s design. The developer refuses to adapt the design.

Besides Travis CI, Aqua Security contacted several popular cloud providers. After all, the access tokens of their users are at stake. A number of providers forced all users to relog or renew their access tokens. Active or past users of the Travis CI API are advised to do the same. Aqua Security recommends developers to change access tokens regularly.

Tip: APIs are indispensable, but also pose a security risk