Researchers have recently uncovered a critical flaw in Atlassian’s Bitbucket code repository tool that allowed threat actors to gain unauthorized access to AWS accounts by exploiting leaked authentication secrets stored as plaintext in Bitbucket artifacts. This flaw in the system could potentially expose secured variables used in Bitbucket Pipelines in plaintext format, putting sensitive information at risk.
Bitbucket’s Pipelines CI/CD service utilizes artifact objects to store variables, files, and directories for use in subsequent stages of the build and testing process. The “Secured Variables” feature is designed to encrypt sensitive information such as AWS keys within the Bitbucket environment to prevent unauthorized access and logging of their values. However, researchers from Mandiant discovered that a critical flaw in the system caused artifact objects generated during pipeline runs to contain these secured variables in plaintext, leaving them vulnerable to exploitation by threat actors.
By simply opening the text file artifacts, threat actors could easily view and steal authentication secrets, potentially leading to data theft or other malicious activities. Instances were noted where development teams unknowingly included plaintext values of secret keys in web application source code stored in Bitbucket artifacts, inadvertently exposing them to the public internet and enabling attackers to exploit them for unauthorized access.
To demonstrate the vulnerability, researchers shared step-by-step instructions for replicating the leak of secrets within a Bitbucket environment. They advised organizations to take precautions such as storing secrets in a dedicated secrets manager, reviewing Bitbucket artifact objects to ensure they do not expose secrets as plaintext files, and implementing code scanning throughout the pipeline lifecycle to detect secrets stored in code before deployment to production.
It is important to note that the researchers’ findings were not meant to discredit Bitbucket but rather to highlight how seemingly innocuous actions could lead to significant security issues. Organizations using Bitbucket are urged to follow best practices for securing sensitive information and to remain vigilant to prevent potential security breaches.
In conclusion, the discovery of this flaw underscores the importance of maintaining robust security measures when handling sensitive data within code repositories. By staying informed and implementing proactive security measures, organizations can mitigate the risks associated with potential security vulnerabilities in tools like Bitbucket.