Startling findings by researchers from RWTH Aachen University reveal that a concerning number of Docker Hub images, one in 12, leak sensitive secrets such as credentials and API secrets. Conducting a comprehensive scan of the global IPv4 address space, the researchers discovered over 340,000 images on Docker Hub and private registries. Shockingly, 8.5 percent of these images, equivalent to 28,621 images, contained exposed secrets.
Among the leaked secrets, the researchers identified more than 52,000 private keys and over 3,000 API secrets. To make matters worse, some of these compromised secrets were being actively used "in the wild," posing significant security risks.
The implications of these leaked secrets are severe. Shared certificate private keys could lead to impersonation attacks, while shared API secrets could result in exhausted rate limits or exposure of private data. Revoking a single API token can cause disruptions for all users, creating a difficult situation for developers.
Analyzing the protocols associated with the leaked secrets, the researchers found an extensive list, including FTP, PostgreSQL, MySQL, SIP, SMTP, POP3, IMAP, SSH, and HTTPS. This range of protocols indicates that sensitive information is at risk across various applications.
To address this critical issue, the researchers advocate for greater caution among image creators, warning them against uploading secrets to public Docker registries. Additionally, users deploying containers based on downloaded images should be vigilant about the potential compromise of secrets like private keys.
To enhance security, the researchers suggest integrating credential-finding tools, such as TruffleHog or SecretScanner, on both sides of the Docker paradigm.
Markus Dahlmanns, Constantin Sander, Robin Decker, and Klaus Wehrle are the researchers responsible for uncovering these alarming vulnerabilities in Docker usage. Their findings underscore the urgent need for improved security practices in the Docker community to protect sensitive information from unauthorized access and misuse.