top of page

Study Reveals Widespread Exposure of Confidential Secrets in Docker Images on Docker Hub

According to a study conducted by researchers at RWTH Aachen University in Germany, a significant number of container images hosted on Docker Hub, a cloud-based repository for Docker images, contain confidential secrets. The study analyzed 337,171 images from Docker Hub and private registries, and approximately 8.5% of these images were found to contain sensitive data, including private keys and API secrets.


Study Reveals Widespread Exposure of Confidential Secrets in Docker Images on Docker Hub

The researchers compiled a large dataset comprising 1,647,300 layers from 337,171 Docker images and used regular expressions to search for specific secrets. They discovered 52,107 valid private keys and 3,158 distinct API secrets in 28,621 Docker images. Most of the exposed secrets were found in single-user images, indicating that they were likely leaked unintentionally.


The study also revealed that the exposure rate of secrets was higher on Docker Hub (9.0%) compared to private registries (6.3%), suggesting that users on Docker Hub may have a poorer understanding of container security. The researchers then investigated the use of the exposed secrets and found 22,082 compromised certificates that relied on the exposed private keys, including 7,546 private CA-signed certificates and 1,060 public CA-signed certificates. This poses a significant risk as CA-signed certificates are widely used and accepted.


To assess the use of exposed secrets in the wild, the researchers analyzed internet-wide measurements provided by the Censys database. They identified 275,269 hosts that relied on the compromised keys, including MQTT and AMQP hosts involved in transferring privacy-sensitive IoT data, FTP, PostgreSQL, Elasticsearch, and MySQL instances serving potentially confidential data, SIP hosts used for telephony, SMTP, POP3, and IMAP servers used for email, SSH servers, and Kubernetes instances that used leaked keys, which could lead to remote-shell access, botnet expansion, or unauthorized data access.


The findings of this study underscore a significant issue in container security and highlight the need for better practices when creating and sanitizing container images. The researchers also noted that while many exposed API secrets belonged to cloud providers like Amazon AWS, it was not possible to determine their use in the wild due to ethical limitations in validating them against service endpoints.

Comments


Get in Touch

Thanks for submitting!

Get Your Free Consultation

Apply for free 30-minute consultation today!

Join our community

Thanks for subscribing!

bottom of page