top of page

Aqua Security: Exposed Secrets in Personal GitHub Repositories Pose Major Security Risks for Corporations

When employees at major organizations like Microsoft and RedHat use personal GitHub repositories for side projects, they can unknowingly expose sensitive corporate data, opening the doors for significant security incidents. Unfortunately, this isn't just a hypothetical scenario.

Recent research from Aqua Security has uncovered numerous Kubernetes configurations with exposed secrets, revealing that many major corporations were at risk. Surprisingly, most of these secrets were not found in official company repositories but in personal public GitHub repos of employees, demonstrating a case of cloud-native Shadow IT.

Shadow IT in the Cloud Era

“Shadow IT” refers to the use of IT systems, devices, software, applications, and services without explicit approval from an organization's IT department. This includes using personal data storage services like OneDrive, Dropbox, or Google Drive for work documents, or installing unauthorized software on company devices. In the cloud-native development context, Shadow IT extends to employees' personal source code management platforms like GitHub.

The risk of Shadow IT on GitHub is substantial because threat actors can easily search for exposed sensitive data in public repositories. While corporate repositories are typically scanned for sensitive data, personal repositories often aren't, expanding the attack surface for organizations.

Findings from the Research

The study focused on Kubernetes configuration files in public GitHub repositories, particularly those containing encoded (base64) secrets. Many of these secrets included usernames and passwords for container registries used by Kubernetes clusters to pull container images. Alarmingly, 66% of the valid tokens found were in personal employee repositories or those of external contractors.

Specific Incidents |

Microsoft: Researchers discovered a privileged Azure Container Registry Token in a personal GitHub repository of a Microsoft employee. This token granted unauthorized access to several internal Azure projects, including Azure IoT Edge and Akri. The token allowed for the retrieval or overwriting of private images, posing significant risks to both Microsoft's internal operations and its users.

"We reported this issue to Microsoft, which then promptly invalidated the token, deleted the employee’s commit, and assigned this security incident an important severity," said the research team.

RedHat: Similar incidents were identified with RedHat, where tokens for internal container registries were found in personal repositories. These tokens provided pull and push privileges, risking leakage of sensitive information and potential facilitation of supply chain attacks. RedHat promptly invalidated the tokens and reviewed internal credentials.

Tigera: Credentials for Tigera's internal container registry were exposed in a Git commit by another company. The registry contained images from various Tigera projects, such as Calico. Tigera invalidated the token on the same day and confirmed that, as a scoped token, there was no risk posed to their software.

Mitigation Strategies

The research underscores the urgent need for organizations to enforce robust security measures against such threats. Recommended mitigations from Aqua Security include:

  • Regular Scanning: Continuously scan the internet for exposed environments or secrets, particularly on platforms like GitHub.

  • Employee Training: Encourage employees, contractors, and code contributors to regularly scan their personal accounts for any corporate secrets or misconfigurations.

  • Least Privilege with Scoped Keys: Ensure all access keys are scoped to limit privileges to only what is necessary for specific tasks.

  • Secret Lifespan Limits: Set expiration dates for secrets to limit their longevity.

  • Anomaly Detection: Monitor for anomalies in connections, work patterns, and the push/pull of images.

  • Secure Kubernetes Secrets: Avoid uploading Kubernetes secret manifests in plaintext or encoded forms to public repositories; use encryption tools like Sealed Secrets or Mozilla SOPS.


Comments


bottom of page