IT researchers from Flare have examined images on Docker Hub to see if they contain extractable secret credentials. They were able to extract such secrets from more than 10,000 images.
In an analysis, the IT security researchers provide an overview and offer tips on how organizations can better protect themselves against such unintentional data leakage. The IT analysts investigated who the credentials belong to, what environments they provide access to, and the potential impact on affected organizations and their surroundings.
Thousands of Docker Images with Access Information
Docker Hub is a central cloud registry for storing and sharing images. These can be public or private a…
IT researchers from Flare have examined images on Docker Hub to see if they contain extractable secret credentials. They were able to extract such secrets from more than 10,000 images.
In an analysis, the IT security researchers provide an overview and offer tips on how organizations can better protect themselves against such unintentional data leakage. The IT analysts investigated who the credentials belong to, what environments they provide access to, and the potential impact on affected organizations and their surroundings.
Thousands of Docker Images with Access Information
Docker Hub is a central cloud registry for storing and sharing images. These can be public or private and can be used, for example, for automated software deployment. After one month, Flare employees encountered more than 10,000 images that had leaked secrets – including credentials to production systems. More than 100 organizations are impacted, one of which is even listed in the Fortune 500, and a large bank. Many were not even aware of the data leakage.
A full 42 percent of the images even contained five or more secrets, allowing access to entire cloud environments, software distribution, and databases of the organization in one go. API keys to AI LLM models accounted for the largest share of leaked secrets, with around 4000 of them alone. For IT researchers, this indicates how much AI usage has already outpaced the adaptation of security controls. Another large portion consists of so-called shadow IT access – personal credentials of employees or contract partners. These are invisible to company-wide monitoring systems, the researchers explain.
While developers have often removed leaked secrets from containers, about three-quarters of them have not revoked and renewed the affected keys, leaving organizations exposed for months or years. Flare concludes that attackers are not hacking into systems but authenticating into them. As an example, IT researchers cite the Shai-Hulud-2 worm, which is spreading in the npm ecosystem. The analysis provides interested parties with even more detailed insights.
A series of articles on heise online is dedicated to Docker Image Security and provides concrete tips on how to build minimal, secure container images yourself. Since not only Docker images frequently contain sensitive credentials, but also credentials are often found in general (public) repositories in software development, there are even tools that help detect leaked secrets on GitHub.
(dmk)
Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.
This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.