Security researchers from Aqua have flagged a concerning revelation: publicly exposed Kubernetes configuration secrets posing a significant threat of supply chain attacks. According to the researchers, encoded Kubernetes configuration secrets were discovered uploaded to public repositories, potentially placing organizations at risk.
Aqua’s Yakir Kadkoda and Assaf Morag detailed their findings, highlighting that numerous entities, including top blockchain firms and Fortune 500 companies, were affected. Leveraging the GitHub API, the researchers identified entries containing .dockerconfigjson and .dockercfg, housing credentials for accessing container image registries.
Among the 438 records examined for valid credentials, a staggering 203 records (about 46%) contained credentials granting access to the respective registries. Notably, 93 of these passwords were manually set, while 345 were computer-generated.
The exposed credentials, in most cases, granted both pulling and pushing privileges, often revealing private container images within the registries. Alarmingly, nearly 50% of the manually set passwords were considered weak, including commonly used ones like ‘password,’ ‘test123456,’ ‘windows12,’ ‘ChangeMe,’ and ‘dockerhub.’
Aqua emphasized the urgent need for stringent password policies within organizations to deter the use of vulnerable passwords, highlighting the vulnerability caused by weak password choices.
The researchers also noted instances where organizations failed to remove secrets from files committed to public GitHub repositories, inadvertently exposing sensitive information.
However, amidst the concerning discoveries, Aqua highlighted some positive aspects. Credentials associated with AWS, Google Container Registry (GCR), and GitHub Container Registry were found to be temporary, expired, or fortified with additional layers of security like two-factor authentication (2FA), limiting unauthorized access.