When Will They Ever Learn?
The title comes from a folk song written by Pete Seeger in the 1950s, but apparently, software developers are not into folk music.
In this case, security researchers are warning that developers are leaving security credentials in public repositories.
They found these creds in repositories run by IBM, Digital Ocean, AWS, Gitlab, and others.
The attack is so basic a teenager could exploit it. The code was owned by Fortune-500 firms, among others.
All a teenager has to do is leverage the repository API to fetch all entries containing .dockerconfigjson and .dockercfg types that store credentials.
Of the 438 records the researchers reviewed that potentially held valid credentials for registries, 200 or so were valid. Passwords had been both manually set and set automatically and the majority give the user both push and pull permissions.
In addition, nearly 50% of the passwords are considered weak.
To mitigate the impact of this, in this particular case, many of the credentials had expired and some of the registries require MFA.
Still, hard coding credentials is a really dangerous practice and internal repositories are at risk as soon as a hacker compromises a single developer’s credentials, as we have seen happen many times.
More importantly, there is no reason to store credentials inside a container or any other software.
If you need help with this subject, please contact us.
Credit: The Hacker News