Researchers discovered that a flaw in Atlassian’s Bitbucket code repository tool, allowed threat actors to successfully breach AWS accounts through the use of authentication secrets which were leaked as plaintext in Bitbucket artifacts.
Bitbucket provides a way to store variables, allowing developers to quickly reference them when writing code. Administrators can also set variables as “secured” as part of the Bitbucket Pipelines to prevent their values from being read in plain text.
However, the recently discovered flaw in this system could cause artifact objects generated during pipeline runs to expose these secured variables in plaintext format.
BitBucket Artifacts Contain Secrets in Plaintext
The Bitbucket Pipelines CI/CD service integrated within Bitbucket, uses artifact objects to store variables, files, and directories for use in subsequent stages of the build and testing process. Bitbucket’s “Secured Variables” feature is stated to store sensitive information like AWS keys securely as they are encrypted within the Bitbucket environment, preventing direct access and logging of their values.
Developers employ the printenv command to store all environment variables, including secured variables, in a text file, which is then included in an artifact object.
However, researchers from Mandiant discovered that this a critical flaw in this system causes artifact objects generated during pipeline runs to contain these secured variables in plaintext. As developers are not aware of that these secrets are exposed in artifact files, they may inadvertently cause secret values to be pushed to public repositories where threat actors can steal them.
The researchers state that could threat actor could simply open the text file artifacts to view sensitive variables in plaintext, easily stealing authentication secrets that can be used to steal data or perform other malicious activity.
The researchers noted instances where development teams used Bitbucket artifacts in web application source code for troubleshooting, unknowingly exposing plaintext values of secret keys. This led to the exposure of these keys on the public internet, allowing attackers to leverage them for unauthorized access.
Researchers Share Guide on Replicating BitBucket Vulnerability
The researchers shared step-by-step instructions on recreating the leak of secrets within a Bitbucket environment, as proof of the vulnerability. These steps included defining a secured variable, updating the bitbucket-pipelines.yml file to create an environment artifact, and downloading and accessing the artifact to view the exposed secrets.
The researchers shared the following recommendations to protect BitBucket Pipeline secrets:
- Storing secrets in a dedicated secrets manager and then referencing those variables in the code stored in your Bitbucket repository.
- Closely reviewing Bitbucket artifact objects to ensure they are not exposing secrets as plain text files.
- Deploying code scanning throughout the full lifecycle of your pipeline to catch secrets stored in code before they are deployed to production.
However, the researchers stated that the findings were not an indictment against BitBucket but rather an observation of how quickly seemingly harmless behaviour could snowball into critical security problems.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
