Developers leave thousands of secrets in containers on Docker Hub

Many app containers on the web development platform Docker Hub contain secrets that are left open by developers.

Cybernews reported that 54% of the analyzed container images on the Docker Hub store, or at least 5,493 images, contain secrets and could be considered as exposing sensitive information.

These images were downloaded over 132 billion times by other developers on the platform.

The exposed secrets included API or SSH keys, access control tokens, internal use URLs, and even private credentials. Cybernews researchers found at least 48,481 unique secrets. Most of them were GitHub tokens, Datadog tokens, Uniform Resource identifiers, and encryption keys.

While some container images contain hard-coded secrets by the design and do not expose any sensitive information, some secrets may be significant, granting attackers unauthorized access and financial or private data.

“Developers expose diverse hidden data types and a vast amount of sensitive data. The ratio of unique secrets per each vulnerable docker image is practically eight to one, meaning that one image, exposing any secrets, is likely exposing eight of them on average,” Cybernews researcher Vincentas Baubonis warned.

“Even if the credentials, tokens, and other secrets are no longer valid, leaving them public is still a bad practice. Even old references to sensitive data show a sloppy security posture.”

Docker Hub is a cloud-based repository for container images, offering both public and private storage and collaboration solutions. Docker Hub is a subsidiary service of Docker, a major player in the digital container industry. Headquartered in San Francisco, the company significantly contributes to this transformative software development and deployment shift.