Threat Actors Exploited Bitbucket Artifacts to Expose AWS Secrets in Plaintext
22 May 2024 at 06:50
BitBucket Artifacts Contain Secrets in Plaintext
The Bitbucket Pipelines CI/CD service integrated within Bitbucket, uses artifact objects to store variables, files, and directories for use in subsequent stages of the build and testing process. Bitbucket'sΒ "Secured Variables" feature is stated to store sensitive information like AWS keys securely as they areΒ encrypted within the Bitbucket environment, preventing direct access and logging of their values. Developers employ the printenv command to store all environment variables, including secured variables, in a text file, which is then included in an artifact object. However, researchers from Mandiant discovered that this a critical flaw in this system causes artifact objects generated during pipeline runs to contain these secured variables in plaintext. As developers are not aware of that these secrets are exposed in artifact files, they may inadvertently cause secret values to be pushed to public repositories where threat actors can steal them. The researchers state that could threat actor could simply open the text file artifacts to view sensitive variables in plaintext, easily stealing authentication secrets that can be used to steal data or perform other malicious activity. The researchers noted instances where development teams used Bitbucket artifacts in web application source code for troubleshooting, unknowingly exposing plaintext values of secret keys. This led to the exposure of these keys on the public internet, allowing attackers to leverage them for unauthorized access.Researchers Share Guide on Replicating BitBucket Vulnerability
The researchers shared step-by-step instructions on recreating the leak of secrets within a Bitbucket environment, as proof of the vulnerability. These steps included defining a secured variable, updating the bitbucket-pipelines.yml file to create an environment artifact, and downloading and accessing the artifact to view the exposed secrets. The researchers shared the following recommendations to protect BitBucket Pipeline secrets:- Storing secrets in a dedicated secrets manager and then referencing those variables in the code stored in your Bitbucket repository.
- Closely reviewing Bitbucket artifact objects to ensure they are not exposing secrets as plain text files.
- Deploying code scanning throughout the full lifecycle of your pipeline to catch secrets stored in code before they are deployed to production.