Restricting access to user accounts is the entire goal of app security. Complex defenses such as Web Application Firewalls and RASP help reinforce and defend the perimeters of users’ profiles against aggressive intruders.
But what if an attacker could just waltz through the front door, using a key you dropped on your way out? This is the risk of a ‘secret leak’.
It’s a threat that is growing with increasing rapidity, as app developers accidentally leave confidential, high-security information embedded in code repositories.
The Credential Landscape
Secret leaks are becoming increasingly dangerous thanks to two primary issues: user behavior, and app development.
Today, you need to log in to so many different applications, websites, software, and online entities: if your memory isn’t perfect, this almost guarantees credential reuse.
Many re-use the same credentials across their personal and business accounts. This places us in a far more vulnerable position than we otherwise would be.
But the question is: Vulnerable from what? The software supply chain. It’s a driving force in today’s economy, empowering devs to deliver the apps we use on a day-to-day basis.
App development is a massively collaborative process. This is the latest trend in the tech-sphere; from Microsoft coining the buzzword “collaborative apps” to Teams’ new collaborative coding platform.
Especially throughout the last year, real-time, remote collaboration across devs, teams, and business analysts is as vital as it’s ever been. However, devs are only human.
In the process of rabid code-creation and sharing, it’s very easy to leave sensitive information – even one single line – within hundreds of lines of valid, running code.
Open source in the software supply chain
Code repositories are vital for both the private and public sectors. These allow projects to be shared as text, allowing easy compiling and running.
GitHub is especially prolific in the open-source space, allowing sharing and collaboration on their code. GitHub is free for open-source projects such as Supabase; there’s an inbuilt wiki and issue tracker. This makes it even easier to collect in-depth documentation and feedback.
For enterprises, GitHub provides a hassle-free method of remote collaboration. There’s no need to connect to a company’s VPN; most devs just find it far easier to dump their work on a private Github repository.
Supabase, a fast-growing open-source startup, launched 50,000 databases in 2021 alone: it’s a telling example of the sheer scope of repositories out there.
The Uber Oopsie
Up until 2017, Uber devs compiled and collaborated on code in a shared GitHub repository.
However, in 2014 and again in 2016, attackers broke their way into this storage, exposing the personal identifiable information of seven million Uber drivers and no less than 50 million Uber customers.
The data that was exposed included names, telephone numbers, email addresses, and over half a million driver’s license numbers.
This information was stored on an external third-party cloud solution – specifically the Amazon AWS cloud. However, the credentials to this cloud were available on the collaborative GitHub repository.
Uber never revealed how the attackers accessed the GitHub repository, but it’s possible that a brute-force or password-guessing attack was used; particularly given that Uber only implemented multi-factor authentication after the attack.
Following the 2016 attack, Uber allegedly paid the leakers $100,000 to keep the matter quiet and delete the data. The hack was eventually reported by the company in November 2017.
The Codecov Case
GitHub is only one of the many ways in which apps leak data. Codecov provides a vast array of code testing software.
An enterprise’s code is tested by downloading a script directly from Codecov’s servers. This checks the code coverage of the testing apparatus and reports back to Codecov’s servers.
In 2021, attackers conducted a severe supply chain attack by rerouting all of the client’s integration information to the attacker’s third-party server.
This was achieved through a relatively simple bait and switch. The bash script responsible for uploading the code back to Codecov’s servers was edited – they added a single line of code. It was nestled snugly in line 525 of a 1800+ line document.
How could they even edit such a vital piece of security framework?
A Docker image contains the application code, libraries, and tools needed to make an application run. Codecov created their docker images in a particularly insecure way, allowing the attackers to extract a credential from the code itself.
In the same way that Uber leaked the data of its own customers, CodeCov allowed attackers to harvest their clients’ sensitive app data for months before the discovery.
Industry leaders Git Guardian summarized the staggering extent of secret leakage.
Plugging Secret Leaks
In the face of such a severe threat, some pretty major changes are in order. These require action and effort from both industry developers – to help prevent major supply chain attacks – and from businesses such as your own.
Industry change is already well underway. GitHub recently released a new secret-scanning capability. Once an app developer has defined the strings that constitute security breaches – such as access tokens – the scanner will automatically flag up any matches.
From an organization’s perspective, you cannot assume that an app you’re introducing is safe. This is why automated and manual code reviews are vital to maintaining a secure ecosystem.
Manual code review is usually undertaken by one or two staff members, as they read through the lines of code and produce a report. Manual reviews are particularly useful for understanding the intentions of a developer.
On the other hand, manual reviews often miss overflow errors, dead code, and subtle mistakes.
This is where automated reviewing must step in: whereas human reviewers need 3 days to read 10,000 lines of code, automated review software can rapidly assess the quality and security soundness of an app.
Secret leaks are a symptom of today’s intensely collaborative software landscape. Unlike Uber’s response, industry-wide caution and transparency is the only way to defend against this growing threat.
Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.