On Friday, DockerHub informed its users of a security breach in its database, via email written by Kent Lamb, Director of Docker Support. The breach exposed sensitive information including some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories, for approximately 190K users. The company said this number is only five percent of DockerHub’s entire user base.
Lamb highlighted that the security incident which took place a day prior, i.e. on April 25, where the company discovered unauthorized access to a single Hub database storing a subset of non-financial user data.
“For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place,” Lamb said in his email.
The GitHub and Bitbucket access tokens stored in Docker Hub allow developers to modify their project’s code and also help in auto building the images on Docker Hub. In cases where a third-party gains access to these tokens would allow them to gain access to code within the private repositories. They can also easily modify it depending on the permissions stored in the token.
Misusing these tokens to modify code and deploy compromised images can lead to serious supply-chain attacks as Docker Hub images are commonly utilized in server configurations and applications.
“A vast majority of Docker Hub users are employees inside large companies, who may be using their accounts to auto-build containers that they then deploy in live production environments.
A user who fails to change his account password and may have their accounts autobuilds modified to include malware”, ZDNet reports.
Meanwhile, the company has asked users to change their password on Docker Hub and any other accounts that shared this password. For users with autobuilds that may have been impacted, the company has revoked GitHub tokens and access keys, and asked the users to reconnect to their repositories and check security logs to see if any unexpected actions have taken place.
Mentioning DockerHub’s security exposure, a post on Microsoft website mentions, “While initial information led people to believe the hashes of the accounts could lead to image:tags being updated with vulnerabilities, including official and microsoft/ org images, this was not the case. Microsoft has confirmed that the official Microsoft images hosted in Docker Hub have not been compromised.”
Docker said that it is enhancing the overall security processes and also that it is still investigating the incident and will share details when available.
A user on HackerNews commented, “I find it frustrating that they are not stating when exactly did the breach occur. The message implies that they know, due to the “brief period” claim, but they are not explicitly stating one of the most important facts. No mention in the FAQ either.
I’m guessing that they are either not quite certain about the exact timing and duration, or that the brief period was actually embarrassingly long.”
On the Docker breach: Even if your company doesn't rely on Docker Hub for production, if a developer in your org enabled auto builds and linked to GitHub via oauth for a personal project, when that oauth token is compromised, _all_ repos on GH they had access to are vulnerable.
— Kenn White (@kennwhite) April 27, 2019
Looking a bit further, I think they only had an oauth key (now revoked) and didn't use deploy keys? Looking at the github docs (https://t.co/n4DNqdVzcc) it appears the `repo` scope is for read/write. The good news is that they've been revoked already.
— Erica Windisch (@ewindisch) April 27, 2019
I got the email too – nothing on the website itself and they didn’t force a PW change… isn’t that standard procedure? Lucky I didn’t miss the email!
— Mark Hood (@markhood) April 27, 2019
To know more about this news, head over to the official DockerHub post.