One of the security risks of software development is passwords and other credentials hard-coded into the source code. It not only makes password rotation painful, but also exposes the secrets to unwanted people once the code is commited into a source code repository.
A quick analysis of the leaked Ashley Madison dumps shows that software developers of AM forgot about these risks. Their source code contains AWS tokens, database credentials, certificate private keys and other secret credentials.
Secrets in the Source Code
The end result of sensitive data stored in the Ashley Madison Git source code repos is a much more vulnerable infrastructure. Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley.
Database Credentials
The database passwords I found were between 5 and 8 characters, and many of them contained 2 character classes only.
Secret Tokens
First of all we have an AWS API credential for an S3 bucket in a unit test file.
Seems like the developers have hard-coded some Twitter OAuth tokens also into their unit tests. (Update 07/09/2015: Removed, these creds are part of the ‘request’ package)
Finally we have some application specific tokens here.
SSL Certificates
Private keys of SSL certificates are also stored in the repo.
Overview
Let’s review what information I gathered about the full application stack of Ashley Madison with a 10 minute search:
- Database credentials
- AWS credentials
- Other API tokens
- SSL certificate private keys
Recommendations
The obligatory tips for making lateral movement harder on your network:
- Never ever store sensitive data in your source code tree
- Never use weak database credentials
Finally do yourself a favour and check your source code repo as well as your Wiki pages for sensitive data today.
Further reading:
- OWASP Use of hard-coded password vulnerability
- SANS Top 25 dangerous software errors: CWE-798: Use of hard-coded credentials
Update (07/09/2015): Additional API secrets and database credentials
Update (09/09/2015): Coverage of these findings in The Register, CIO, CSO, Office of Inadequate Security, DarkReading, Help Net Security, The Cyber Law Library
Update (14/09/2015): Additional coverage in SC Magazine
Photo courtesy of Tim Ellis