Risky development practice leaves company access keys exposed
Company access keys, used by developers to authenticate into other systems, are all too frequently being left exposed to the public during the software development process, putting company data at risk of being compromised by malicious actors on the lookout for easy access to enterprise systems.
That is according to new data collated by Digital Shadows, which scoured more than 150 million entities from GitHub, GitLab and Pastebin in one 30-day period, and assessed and categorised close to 800,000 access keys and secrets.
It said over 40% of these keys would have granted access to database stores, 38% to cloud environments, including AWS, Google Cloud and Microsoft Azure, and 11% for online services, including collaboration platforms such as Slack, and payment systems.
“As software development has become increasingly distributed between in-house and outsourced teams, it has become challenging to monitor the exposure of sensitive information,” said Russell Bentley, product vice-president at Digital Shadows.
“Every day, technical information like keys and secrets are exposed online to code collaboration platforms. Normally this is accidental, but we have seen evidence that threat actors are scouring public repositories and looking to use it in order to access sensitive data and infiltrate organisations.
“Most of the services we have identified are secure by design but, as ever, humans are the weak link in the chain and frequently make information public when it should be private.”
Bentley said the impact of exposed database keys was “particularly profound”, offering malicious actors unauthorised access to corporate data and personally identifiable information (PII) with permissions to expose, destroy or manipulate it. Credentials for Redis, MySQL and MongoDB were the most commonly exposed, he said.
If an unauthorised actor was to successfully authenticate into a target’s cloud environment, the impact could be similarly severe, again giving them the ability to expose, destroy or otherwise manipulate sensitive data. When it came to public cloud providers, Digital Shadows said Google Cloud environments were the most likely to have exposed keys, followed by Microsoft Azure and SAS tokens.
It noted that despite AWS being the market leader, exposed keys for its services made up a far lower proportion of the total.
In terms of online services, such as Slack, malicious actors could use compromised keys to post phishing messages directly into their victim’s channels, gain access to sensitive information being passed around in conversations, and access Slack workspaces. Compromised keys to payment services, such as Stripe API keys, would also have predictably dire consequences.
Digital Shadows said users could take a number of courses of action, such as using tools such as Trufflehog to search through git repositories for accidentally committed secrets, or GitRob, which can be useful in finding sensitive files pushed to public repositories on GitHub.
GitHub secret scanning can also provide monitoring for many of the more frequently exposed key types observed by Digital Shadows, although it does not always extend to database stores.