Researchers found 46,076 Docker containers leaking sensitive data

The use of containers, especially open-source development platform Docker, has seen a dramatic increase in the last few years. This has also put them on the radar of threat actors looking to exploit any vulnerabilities. A June report by Aqua Security showed that botnets attack 50% of new misconfigured Docker APIs within 56 minutes of being set up.  

Now a new research by security firm Redhunt Labs has found thousands of public Docker repositories are leaking hardcoded secrets and sensitive configuration files copied to attackers. After scanning millions of publicly exposed Docker containers, researchers at Redhunt found 46,076 containers that had leaked at least one hard-coded credential or sensitive configuration file. A total of 57,589 sensitive configuration files were copied to Docker images across 36,176 repositories, the findings show. They also identified 10,181 repositories that were leaking 15,541 hardcoded secrets.

The hardcoded credentials found in the Docker images included AWS and other cloud environment access keys, private keys, and webhooks. The most commonly found secret was the username and password to clone git repositories. Clone Git repositories are used to create clones of existing data repositories.

The researchers observed that a Docker image created from a vulnerable base image will remain vulnerable in most cases due to Common Vulnerabilities and Exposures (CVEs) in the software packed with the base image. They found that six out of the 10 base images were built more than a year ago and, in most cases, the base image remained unpatched.

They also warned that most users when creating Docker Images make the mistake of copying a private key in one layer and deleting the key in the next layer. "Once a file is added in a layer, you can’t remove it in subsequent layers. If you copy a sensitive file in one docker layer and delete it in the following layer, the file will still exist in the docker image," the researchers said.

Another common mistake that contributed to the leak, as per the researchers, was hard-coding of credentials into Docker Images and putting it on their free Docker Hub account, which enabled anyone to download the image and see the credentials. 

They also pointed out that copying folders to Docker images with git logs can also expose the git repository. If a threat actor gains access to the images, they can see emails of committers, source of the repository, code changes, and hardcoded secrets. 

To address these issues, Redhunt advised against hardcoding tokens/API keys in Docker images and cloning/downloading required files using credentials. Also, to share Docker images, one should use a container registry that’s private by default, they added. 

During their research, Redhunt found 1,684,600 unique Docker Hub accounts. Around 4% belong to organizations and 96% of them have at least one public Docker repository.