Inadvertent leaks during software development places organizations at risk
The increasing prevalence of corporate access keys getting inadvertently exposed during software development is leaving organizations exposed to greater risk of attack.
Access keys, and their corresponding secrets, are used by developers to authenticate themselves.
These credentials ought to be kept private, poor security practices mean they are frequently made ‘public’ – a shortcoming attackers often exploit to access corporate systems in a process that can be partially automated using search tools.
Databases, cloud storage, and other services are all at risk from exposed access keys, according to new research released on Tuesday (September 15) from threat intel agency Digital Shadows.
Over a 30-day period, Digital Shadows scanned more than 150 million entities from GitHub, GitLab, and Pastebin.
During the course of this one-month study, Digital Shadows’ technology assessed and categorized almost 800,000 access keys and secrets.
More than 40% of these exposed credentials were for database stores, with 38% for cloud providers such as Google, Microsoft Azure and Amazon Web Services.
Google Cloud Platform was found to have the most exposed keys, with 56.5% of the total. Microsoft Azure access keys and SAS tokens make up 22.7% and 12.4% respectively.
Despite Amazon Web Services being the market leader, exposed keys for these services only made up 8.3% of the total.
Asked to comment on this odd result, Digital Shadows offered The Daily Swig some possible explanations.
“It’s hard to speculate, but it may well be a combination of more awareness and improved visibility,” a company spokesperson said. “Exposed AWS keys make the media headlines a lot, and security teams are cognizant of that.
“On top of this, GitHub’s secret monitoring does an excellent job of automatically revoking these AWS keys, and giving them that visibility to go and remove the commit or paste,” it added.
Payment token peril
Successful authentication into these environments could be hugely damaging and allow access to the associated cloud infrastructure, with permission to expose, destroy and/or manipulate sensitive data.
Login credentials for online services including collaboration platforms such as Slack and payment systems including Stripe were also exposed.
Corporate database keys were also frequently leaked, an error that potentially exposes the personal information of a target organization’s clients.
Credentials for Redis (37.2%), MySQL (23.8%), and MongoDB (19.3%) were the most commonly observed during the survey period.
Significant damage could also result from other exposed keys such as Stripe API keys (6.4% of the total). Access to these compromised keys could be abused to infiltrate payment systems.
Mailgun secret keys (4.4% of the total) could allow use of the API to send, receive and track emails – which would be highly useful to attackers looking for access to enable phishing campaigns.
The research also discovered thousands of tokens and keys for popular online services, including Slack tokens.
Russell Bentley at Digital Shadows commented: “Every day, technical information like keys and secrets are exposed online to code collaboration platforms.
“Normally this is accidental, but we have seen evidence that threat actors are scouring public repositories and looking to use it in order to access sensitive data and infiltrate organizations.”
Bentley added: “Most of the services we have identified are secure by design but as ever, humans are the weak link in the chain and frequently make information public when it should be private.”
The study is the first of its kind from Digital Shadows. the most recent research (PDF) by other security experts in this space found 100,000 repositories with exposed API keys.
Digital Shadows advises organizations to proactively search for leaked secrets, a task that’s facilitated by several already available open source tools. For example, Trufflehog can be used to search through git repositories for secrets, digging deep into commit history and branches.
Another tool, GitRob, can help find potentially sensitive files pushed to public repositories on Github.