Docker Leaks API Secrets & Private Keys, as Cybercriminals Pounce

Researchers found that the private keys and secrets they discovered being exposed within the Docker framework are already being used in the wild.

Dark Reading Staff, Dark Reading

July 20, 2023

2 Min Read
A ring of keys on a red background
Source: gpriccardi via Alamy Stock Photo

Container images shared on Docker Hub are leaking sensitive data in the cloud, to the tune of tens of thousands of secrets. And attackers are scooping these up to be used to compromise a wide range of hosts.

Because coding an application and deploying it into another environment can cause errors, developers combine everything together — files, libraries, and dependencies — to be put in containers in the cloud. This makes it easier to create applications that can work across systems. Docker images are a common source for this method of programming, and Docker Hub has millions of private repositories, automated builds, official images provided by Docker, and webhooks that "trigger actions after a successful push to a repository to integrate Docker Hub with other services."

In a study conducted by researchers at RWTH Aachen University in Germany, it was discovered that the ease with which the Docker framework allows containerization could lead to sharing private keys or API secrets, thus compromising the security of anyone who created or is using the image. The researchers uncovered 52,107 private keys in misconfigured containers, as well as 3,158 leaked API secrets.

They also found that the leaked keys were already being used in the wild. There were 1,060 certificates that used compromised keys, and 275,269 TLS and SSH hosts using "leaked keys for authentication." 

"This widespread usage allows attackers to eavesdrop on confidential or alter sensitive information, e.g., from the IoT, webpages, or databases," according to the report.

To boot, the researchers found 216 exposed Session Initial Protocol (SIP) hosts for telephones, and 8,165 SMTP, 1,516 POP3, and 1,798 IMAP servers used for emails. These have security implications around Internet-based communications, as these hosts can fall victim to impersonation attacks, allowing threat actors to eavesdrop as well as transmit and alter data.

In conducting this study, the researchers analyzed 337,171 images from Docker Hub as well as 8,076 from private registries.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights