Data breach: Docker Hub Database comprometido e 190.000 utilizadores impactados.
O Docker notificou os utilizadores de que uma entidade não autorizada obteve acesso a uma base de dados do Docker Hub que expôs informações confidenciais de aproximadamente 190.000 utilizadores.
As informações expostas incluíam alguns nomes de utilizador e representações de password (hash), bem como tokens para os repositórios do GitHub e do Bitbucket.
A divulgação dos tokens pode permitir que um invasor modifique uma imagem e a reconstrua dependendo das permissões do próprio token, um cenário típico de supply chain attack.
O Docker foi informado sobre o acesso não autorizado a uma base de dados do Hub em 25 de abril de 2019.
“On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.” reads the data breach notice sent to the impacted users via email.
“During a brief period of unauthorized access to a Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”
A organização confirmou que já revogou todos os tokens e chaves de acesso expostos.
“it is important for developers who used Docker Hub autobuild to check their project’s repositories for unauthorized access. ” reads a blog post published by Bleeping computer that first reported the news. “Even worse, with these notices coming late on a Friday night, developers potentially have a long night ahead of them as they assess their code.
O aviso de notificação de violação de dados está disponível em: https://news.ycombinator.com/item?id=19763413.
Os proprietários do projeto estão a aconselhar que os utilizadores alterem as suas passwords no Docker Hub e em outras contas que contenham as mesmas credenciais.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.