Docker Hub could be containing thousands of valuable secrets, and they’re all in plain view
“Thousands” of secrets have been exposed on Docker Hub, ranging from harmless API keys to potentially malicious information.
This is what researchers say Cybernews Research Team, which recently analyzed 10,178 Docker Hub images. In it, they found almost 5,500 container images (54%) containing secrets that could be considered sensitive information.
From those 5,500 container images, the researchers extracted exactly 191,529 secrets. Many were duplicates that, when removed, left researchers with exactly 48,481 unique secrets.
Billions of downloads
The most common secret was GitHub tokens, comprising 26.6% of all discovered secrets (51,038). This was followed by Datadog Tokens (13.9%) and Uniform Resource Identifiers (7.6%). Ten thousand private keys used for encryption or decryption were also discovered.
While these numbers are staggering, those with an eye for detail can uncover even more powerful secrets. For example, the researchers found more than 9,000 PayPal OAuth secrets, which were used to control access to user accounts and financial information. Additionally, there were nearly 8,000 UnifyID secrets that could reveal identity information.
The containers containing these secrets have been downloaded more than 132 billion times.
“That means exposed secrets could run on multiple servers around the world, posing risks and taking cloud resources away from unobtrusive Docker Hub contributors,” warns Cybernews researcher Vincentas Baubonis.
“If you expose secrets while uploading your images online, there is a high risk that threat actors will find them.”
Most of the secrets, the researchers further explained, came from reusing packets containing sensitive information.
“Developers expose various hidden data types and a huge amount of sensitive data. The ratio of unique secrets per vulnerable docker image is practically eight to one, meaning that one image exposing secrets is likely to expose eight on average,” Baubonis warned.
The research reveals a widespread practice of leaving sensitive data in container images, prompting calls for organizations to strengthen security measures. Baubonis advises developers to reset exposed secrets, encrypt sensitive data in images, and educate staff about the risks associated with embedded data.