Hapless AWS engineer spilled passwords, keys, confidential internal training info, customer messages on public GitHub

Only up for five hours, but that's plenty of time for the wrong person to spot it

Updated An Amazon Web Services engineer published exchanges with customers and "system credentials including passwords, AWS key pairs, and private keys" to a public GitHub repository by accident.

On 13 January, infosec biz UpGuard discovered a 954MB repository containing AWS resource templates – used to create cloud services – plus hostnames, and log files generated in the second half of 2019. There were also internal Amazon training resources marked "confidential."

"Several documents contained access keys for various cloud services," UpGuard reported today. "There were multiple AWS key pairs including one named 'rootkey.csv,' suggesting it provided root access to the user's AWS account. Other files contained collections of auth tokens and API keys for third party providers. One such file for an insurance company included keys for messaging and email providers."

UpGuard continued:

In addition to data related to computer systems like credentials, logs, and code, the repo also contained assorted documents that established the identity of the owner and their relationship to AWS.

These documents included bank statements, correspondence with AWS customers, and identity documents including a driver's license. Multiple documents included the owner’s full name. A LinkedIn profile matching the exact full name identified one person who listed AWS as their employer in a role that matched the kinds of data found in the repository. Other documents in the repository included training for AWS personnel and documents marked as “Amazon Confidential.”

Based on this evidence, UpGuard is confident the data originated from an AWS engineer.

A couple of hours after the discovery, UpGuard notified AWS security, and the repo was taken offline. The repository was public for less than five hours. However, as UpGuard noted by referencing this paper [PDF] from North Carolina State University, there are ways to discover mishaps like this quickly via GitHub's search features.

"One is able to discover 99 per cent of newly committed files containing secrets in real time," it said. These researchers believe that "thousands of new, unique secrets are leaked every day". What this means is that even five hours of exposure is plenty of time for confidential information to be picked up by criminals.

A Scotiabank card

Scotiabank slammed for 'muppet-grade security' after internal source code and credentials spill onto open internet


Why do so many secrets end up in GitHub repositories? A common reason is that developers trying out some new ideas hard-code credentials into applications, and then publish the code without thinking through the implications – or forget they are pushing to a public repo.

The problem is so common that GitHub has a token scanning service that scours "public repositories for known token formats to prevent fraudulent use of credentials that were committed accidentally."

GitHub also recommends "considering any tokens that GitHub sends you messages about as public and compromised".

In this case, however, the repository was "structured as general storage rather than application code, with many files in the top-level directory and no clear convention for the subdirectories," noted UpGuard. Why was this in a GitHub repository at all? This is not known; it could be anything from an errant script to a misguided attempt to use GitHub like Dropbox, for exchanging or backing up files.

UpGuard noted: "There is no evidence that the user acted maliciously or that any personal data for end users was affected, in part because it was detected by UpGuard and remediated by AWS so quickly." It is an oddly complacent conclusion bearing in mind the statements that precede it, but AWS will be hoping it is correct.

Does GitHub make it too easy to search its repositories for passwords and access tokens? Should GitHub scan for tokens before rather than after they are in public repositories? Should such data be redacted from internal logs and support data just in case – as Microsoft appears to have done?

We have asked AWS for comment and will report back with any statements. ®

Updated to add

A spokesperson for Amazon has told us the code repository was used by the engineer in a personal capacity, and claimed no customer data or company systems were exposed.

Similar topics

Narrower topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022