Aqua Security e phatlalalitse liphetho tsa phuputso ea boteng ba data ea lekunutu ka har'a li-log tsa kopano tse fumanehang phatlalatsa ho Travis CI e tsoelang pele ea ho kopanya sistimi. Bafuputsi ba fumane mokhoa oa ho hula lifate tse limilione tse 770 mererong e fapaneng. Teko ea ho khoasolla lits'oants'o tse limilione tse 8 e senotse li-tokens tse likete tse 73, lintlha le linotlolo tsa phihlello tse amanang le lits'ebeletso tse fapaneng tse tsebahalang, ho kenyeletsoa GitHub, AWS, le Docker Hub. Tlhahisoleseding e hlwauweng e dumella meralo ya motheo ya diporojeke tse ngata tse bulehileng hore di be kotsing, ho etsa mohlala, ho dutla ho tshwanang ha morao tjena ho lebisitse ho thuhweng ha meralo ya motheo ya projeke ya NPM.
Ho lutla ho amana le bokhoni ba ho fihlella lits'ebetso tsa basebelisi ba ts'ebeletso ea mahala ea Travis CI ka API e tloaelehileng (mohlala, tlaleho ea kopano e ka khoasolloa ka URL e kang "https://api.travis-ci.org/ v3/job/5248126/log.txt” moo nomoro 5248126 e leng sesupo sa log.txt). Ho fumana mefuta e mengata ea li-log, ho ile ha sebelisoa API e 'ngoe ("https://api.travis-ci.org/logs/6976822"), e fanang ka tsela e ncha ea ho khoasolla tlaleho ka nomoro ea seriale. Ho sebelisa mokhoa oa brute force, thuto e ile ea khona ho khetholla, ntle le bopaki, li-logs tse ka bang limilione tse 770 tse entsoeng ho tloha 2013 ho ea ho May 2022 nakong ea kopano ea merero e oelang tlas'a moralo oa litefiso tsa mahala.
Tlhahlobo ea sampuli ea teko e bontšitse hore maemong a mangata, log in foromo e hlakileng e bonahatsa mekhoa ea ho fihlella ho li-repositories, APIs le storages, tse lekaneng ho fumana li-repositories tsa poraefete, ho etsa liphetoho ho khoutu kapa ho hokahanya le maemo a maru a sebelisoang meahong. Mohlala, li-tokens tsa ho hokela ho polokelo ho GitHub, li-password tsa ho beha likopano ho Docker Hub, linotlolo tsa ho fihlella tikoloho ea Amazon Web Services (AWS), le liparamente tsa khokahano bakeng sa MySQL le PostgreSQL DBMS li fumanoe ka har'a li-log.
Hoa hlokomeleha hore ho lutla ho tšoanang ka API ho tlalehiloe ke bafuputsi ka 2015 le 2019. Kamora liketsahalo tse fetileng, Travis o kentse lithibelo tse itseng ho etsa hore ho be thata ho kenya data ka bongata le ho fokotsa phihlello ea API, empa lithibelo tsena li ile tsa qojoa. Ntle le moo, Travis o ile a leka ho hloekisa data ea bohlokoa ka har'a li-log, empa data e ile ea hlakoloa hanyane.
Ho lutla ho amme basebelisi ba merero e bulehileng ea mohloli, bao Travis e fanang ka phihlello ea mahala ho ts'ebeletso ea eona e tsoelang pele ea ho kopanya. Nakong ea tlhahlobo e entsoeng ke bafani ba bang ba litšebeletso, ho netefalitsoe hore hoo e ka bang halofo ea li-tokens le linotlolo tse arohaneng le li-logs li ntse li sebetsa. Basebelisi bohle ba mofuta oa mahala oa ts'ebeletso ea Travis CI ba khothaletsoa ho fetola linotlolo tsa bona tsa phihlello ka potlako, hammoho le ho hlophisa ho hlakoloa ha lits'oants'o tsa kopano le ho lekola hore data ea lekunutu ha e hlahe ho log.
Source: opennet.ru
