2022-06-13
Travis CI API Exposes User Tokens
Researchers from Aqua’s Team Nautilus discovered that Travis CI API clear-text logs are available to anyone. The logs contain “tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub.”
Editor's Note
It appears that in CI/CD, exposing credentials is a feature, not a bug. Automate rotating your credentials and assume they are lost if you are using the free version of Travis CI. This is likely to affect many open source projects using Travis CI to manage code deployment. This particular issue has existed in some form for years.

Johannes Ullrich
This is described as the intended behavior for the Free Tier version of Travis CI. If you are going to continue to use the free tier version, the best mitigation, today, is to proactively rotate access tokens, minimizing the interval they are viable if discovered. Better still investigate other options with a higher bar on protection of access tokens and related information, and properly fund key components such as your CI/CD tools.

Lee Neely
Read more in
AquaSec: Public Travis CI Logs (Still) Expose Users to Cyber Attacks
Ars Technica: Credentials for thousands of open source projects free for the taking—again!
SC Magazine: Travis CI API exposes thousands of user tokens that can let threat actors launch attacks
Dark Reading: Exposed Travis CI API Leaves All Free-Tier Users Open to Attack