Docker Hub Breach: It's Not the Numbers; It's the ReachPotential Leak of GitHub, Bitbucket Tokens As Well
Docker, which offers an open source container platform, is notifying users that an intruder briefly had access to sensitive data from 190,000 Docker Hub accounts, which it says is less than 5 percent of Hub users. But the mishap has caused a collective gasp because the breach potentially magnifies risks for enterprises.
Docker's Hub is a place where developers can store app "containers," which can be quickly deployed or moved. Container images can be set as public or private, and the Hub is the place to go to grab, for example, an official image of MongoDB or nginx.
Docker says in an advisory that one of its Hub databases, which included usernames and hashed passwords, was exposed.
Although the database didn't contain financial data, it did contain tokens from other much-used developer resources, including GitHub and Bitbucket. When developers are building an image - or autobuilding one - coding resources are often pulled from other places. The tokens have been revoked, Docker says.
And that's what makes the Docker Hub breach potentially so much more worrying: If tokens have been compromised, it gives attackers many more places to slip in malicious code.
As one commenter on Hacker News put it, Docker Hub has been an attractive target for some time: "With how much of the internet blindly pulls images from it [Docker Hub], the potential gain from hijacking just one high-profile one would be monumental."
Docker has notified affected developers by email, and some may have already noticed revoked credentials. If the hash of a password was exposed, Docker has sent password reset links.
Because tokens for other repositories have been disabled, Docker says those who have autobuilds drawing on GitHub or Bitbucker code will need to re-link the repositories.
Docker says that none of the Official Images have been hacked. "We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image," it says.
The Docker Hub situation illustrates how what appears to be a smallish breach by the numbers could be much worse due to how developers work by using different services.
Or as Dino A. Dai Zovi, a staff security engineer with Square, put it: "2019 being the year of software supply-chain integrity keeps getting truer."
On the Docker breach: Even if your company doesn't rely on Docker Hub for production, if a developer in your org enabled auto builds and linked to GitHub via oauth for a personal project, when that oauth token is compromised, _all_ repos on GH they had access to are vulnerable.— Kenn White (@kennwhite) April 27, 2019
As an example, the mixing of professional and personal coding by developers could magnify the Docker Hub risk, writes Kenn White, a security expert and co-director of the Open Crypto Audit Project, on Twitter.
"On the Docker breach: Even if your company doesn't rely on Docker Hub for production, if a developer in your org enabled autobuilds and linked to GitHub via oauth for a personal project, when that oauth token is compromised, _all_ repos on GH they had access to are vulnerable," White writes.
White also notes that that it's usually possible to bypass two-step verification with authorization tokens.
What to Do Now
Those at risk can take several steps to help ensure that containers or repositories haven't been altered.
"If you publish containers to Docker Hub and use autobuilds, please check if your GitHub/BitBucket API tokens have been used to push any changes to your GitHub/BitBucket/Docker Hub repos," Zovi writes.
Also, check the last build time for an image and see if new images have been pushed manually, writes Madhu Akula, a security automation engineer with Appsecco, who published a post-breach action checklist.
It's also good to check if new collaborators have been added to a Docker Hub account, Akula writes. Other items to watch out for are if new webhooks or GitHub apps have been added, modified or removed.