cloud.google.com
Open in
urlscan Pro
2a00:1450:4001:81c::200e
Public Scan
Submitted URL: https://cloud.google.com/blog/topics/threat-intelligence/bitbucket-pipeline-leaking-secrets
Effective URL: https://cloud.google.com/blog/topics/threat-intelligence/bitbucket-pipeline-leaking-secrets?hl=en
Submission: On May 22 via api from TR — Scanned from DE
Effective URL: https://cloud.google.com/blog/topics/threat-intelligence/bitbucket-pipeline-leaking-secrets?hl=en
Submission: On May 22 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
/blog/search/
<form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value="en" hidden=""><input type="hidden" name="category" value="article"
hidden=""><input type="hidden" name="paginate" value="25" hidden=""><input type="hidden" name="order" value="newest" hidden=""><input type="hidden" name="hl" value="en" hidden=""><span class="A0lwXc" jsname="D8MWrd"
aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22">
<path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path>
</svg></span></form>/blog/search/
<form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value="en" hidden=""><input type="hidden" name="category" value="article"
hidden=""><input type="hidden" name="paginate" value="25" hidden=""><input type="hidden" name="order" value="newest" hidden=""><input type="hidden" name="hl" value="en" hidden=""><span class="A0lwXc" jsname="D8MWrd"
aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22">
<path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path>
</svg></span></form>Text Content
cloud.google.com uses cookies from Google to deliver and enhance the quality of
its services and to analyze traffic. Learn more.
Hide
Jump to Content
Cloud
Blog
Contact sales Get started for free
Cloud
Blog
Solutions & technology
Security
Ecosystem
Industries
* Solutions & technology
* Ecosystem
* Developers & Practitioners
* Transform with Google Cloud
* AI & Machine Learning
* API Management
* Application Development
* Application Modernization
* Chrome Enterprise
* Compute
* Containers & Kubernetes
* Data Analytics
* Databases
* DevOps & SRE
* Maps & Geospatial
* Security
* Infrastructure
* Infrastructure Modernization
* Networking
* Productivity & Collaboration
* SAP on Google Cloud
* Storage & Data Transfer
* Sustainability
* Security & Identity
* Threat Intelligence
* IT Leaders
* Industries
* Partners
* Startups & SMB
* Training & Certifications
* Inside Google Cloud
* Google Cloud Next & Events
* Google Maps Platform
* Google Workspace
* Financial Services
* Healthcare & Life Sciences
* Manufacturing
* Media & Entertainment
* Public Sector
* Retail
* Supply Chain
* Telecommunications
* Solutions & technology
* AI & Machine Learning
* API Management
* Application Development
* Application Modernization
* Chrome Enterprise
* Compute
* Containers & Kubernetes
* Data Analytics
* Databases
* DevOps & SRE
* Maps & Geospatial
* Security
* Security & Identity
* Threat Intelligence
* Infrastructure
* Infrastructure Modernization
* Networking
* Productivity & Collaboration
* SAP on Google Cloud
* Storage & Data Transfer
* Sustainability
* Ecosystem
* IT Leaders
* Industries
* Financial Services
* Healthcare & Life Sciences
* Manufacturing
* Media & Entertainment
* Public Sector
* Retail
* Supply Chain
* Telecommunications
* Partners
* Startups & SMB
* Training & Certifications
* Inside Google Cloud
* Google Cloud Next & Events
* Google Maps Platform
* Google Workspace
* Developers & Practitioners
* Transform with Google Cloud
Contact sales Get started for free
Threat Intelligence
HOLES IN YOUR BITBUCKET: WHY YOUR CI/CD PIPELINE IS LEAKING SECRETS
May 21, 2024
*
*
*
*
MANDIANT
Written by: Mark Swindle
--------------------------------------------------------------------------------
While investigating recent exposures of Amazon Web Services (AWS) secrets,
Mandiant identified a scenario in which client-specific secrets have been leaked
from Atlassian's code repository tool, Bitbucket, and leveraged by threat actors
to gain unauthorized access to AWS. This blog post illustrates how Bitbucket
Secured Variables can be leaked in your pipeline and expose you to security
breaches.
BACKGROUND
Bitbucket is a code hosting platform provided by Atlassian and is equipped with
a built-in continuous integration and continuous delivery/deployment (CI/CD)
service called Bitbucket Pipelines. Bitbucket Pipelines can be used to execute
CI/CD use cases like deploying and maintaining resources in AWS. Bitbucket
includes an administrative function called "Secured Variables" that allows
administrators to store CI/CD secrets, such as AWS keys, directly in Bitbucket
for easy reference by code libraries.
CI/CD Secrets: CI/CD Secrets serve as the authentication and authorization
backbone within CI/CD pipelines. They provide the credentials required for
pipelines to interact with platforms like AWS, ensuring pipelines possess the
appropriate permissions for their tasks. Secrets are often extremely powerful
and are beloved by attackers because they present an opportunity for direct,
unabated access to an environment. Maintaining confidentiality of secrets while
balancing ease of use by developers is a constant struggle in securing CI/CD
pipelines.
Bitbucket Secured Variables: Bitbucket provides a way to store variables so
developers can quickly reference them when writing code. Additionally, Bitbucket
offers an option to declare a variable as a "secured variable" for any data that
is sensitive. A secured variable is designed such that, once its value is set by
an administrator, it can no longer be read in plain text. This structure allows
developers to make quick calls to secret variables without exposing their values
anywhere in Bitbucket. Unless…
EXPORTING SECRETS FROM BITBUCKET IN PLAIN TEXT
CI/CD pipelines are designed just like the plumbing in your house. Pipes,
valves, and regulators all work in unison to provide you with reliable, running
water. CI/CD pipelines are a complicated orchestration of events to accomplish a
specific task. In order to accomplish this, these pipelines are highly
proficient at packaging and deploying large volumes of data completely
autonomously. As a developer, this creates countless possibilities for
automating work, but, as a security professional, it can be a cause for anxiety
and heartburn. Perhaps it's a line of code with a hardcoded secret sneaking into
production. Maybe it's a developer accidentally storing secrets locally on their
machine. Or maybe, as we have seen in recent investigations, it's a Bitbucket
artifact object containing secrets for an AWS environment being published to
publicly available locations like S3 Buckets or company websites.
Bitbucket secured variables are a convenient way to store secrets locally in
Bitbucket for quick reference by developers; however, they come with one
concerning characteristic—they can be exposed in plain text through artifact
objects. If a Bitbucket variable—secured or not secured—is copied to an artifact
object using the artifacts: command, the result will generate a .txt file with
the value of that variable displayed in plain text.
Mandiant has seen instances in which development teams used Bitbucket artifacts
in web application source code for troubleshooting purposes, but, unbeknownst to
the development teams, those artifacts contained plain text values of secret
keys. This resulted in secret keys being exposed to the public internet where
they were located and subsequently leveraged by attackers to gain unauthorized
access.
Once a secured variable—such as an AWS Key—is copied to a .txt file in plain
text, the secret has been leaked, and it's up to the pipeline as to where that
secret flows and how long until an attacker finds it.
REPRODUCING THE SECRET LEAK
The following are steps to recreate the secret leak in a Bitbucket environment.
One important note—the commands detailed in this guide illustrate only one
possibility, but there are several other methods that export secured variables
to artifacts in Bitbucket. Administrators and developers should closely review
any references to artifact objects in their bitbucket-pipelines.yml file or any
other files in the repository.
ESTABLISH SECURED VARIABLES IN BITBUCKET
This can be done at the repository level or the workspace level as long as they
are set to "secured variable."
UPDATE THE BITBUCKET-PIPELINES.YML FILE TO CREATE AN ENVIRONMENT ARTIFACT
The following lines of code execute the command printenv to copy all environment
variables from Bitbucket to a .txt file called environment_variables.txt. This
is a common practice in development when troubleshooting because developers need
to review a wide range of variables for legitimate development purposes. Once
the .txt file is created, the code passes it to a Bitbucket artifact object
where it can be used by future stages in the pipeline, if necessary.
NAVIGATE TO THE PIPELINE EXECUTION HISTORY AND DOWNLOAD THE ARTIFACT
OPEN THE ARTIFACT AND SEARCH FOR SECURED VARIABLES
After exporting the .txt file, secrets can be read in plain text among all the
variables in the Bitbucket environment. One note on this step—it is possible you
will need to extract components of a .tar file as an additional step here. In
this event, extract the .tar file using your data extraction tool of choice.
SECRETS FLOW WHERE THE PIPELINE GOES
Once the secrets are printed to the environment_variables.txt file, they are
free to flow out of Bitbucket through the pipeline and become exposed. Any
combination of development mistakes, malicious intent, or accidental disclosure
can lead to secret exposure and misuse by a threat actor.
RECOMMENDATIONS
Bitbucket Pipelines is a great platform for storing, collaborating, and
deploying code. Bitbucket, however, is not a dedicated secrets manager, and
storing secrets directly in Bitbucket introduces opportunities for secrets to be
leaked. Safely protect your secrets when using Bitbucket Pipelines by:
* Storing secrets in a dedicated secrets manager and then referencing those
variables in the code stored in your Bitbucket repository
* Closely reviewing Bitbucket artifact objects to ensure they are not exposing
secrets as plain text files
* Deploying code scanning throughout the full lifecycle of your pipeline to
catch secrets stored in code before they are deployed to production
CONCLUSION
This is not an indictment against Bitbucket. Instead, it's a case study in how
seemingly innocuous actions can snowball into serious problems. We use the word
"leak" for a specific reason. All it takes is one keystroke, one line of code,
or one misconfiguration for a slow, seemingly untraceable drip of secrets to
flow through your pipeline out into the world.
Posted in
* Threat Intelligence
RELATED ARTICLES
Threat Intelligence
UNCHARMED: UNTANGLING IRAN'S APT42 OPERATIONS
By Mandiant • 58-minute read
Threat Intelligence
RANSOMWARE PROTECTION AND CONTAINMENT STRATEGIES: PRACTICAL GUIDANCE FOR
HARDENING AND PROTECTING INFRASTRUCTURE, IDENTITIES AND ENDPOINTS
By Mandiant • 3-minute read
Threat Intelligence
FROM ASSISTANT TO ANALYST: THE POWER OF GEMINI 1.5 PRO FOR MALWARE ANALYSIS
By Bernardo Quintero • 16-minute read
Threat Intelligence
POLL VAULTING: CYBER THREATS TO GLOBAL ELECTIONS
By Mandiant • 29-minute read
FOOTER LINKS
FOLLOW US
*
*
*
*
*
* Google Cloud
* Google Cloud Products
* Privacy
* Terms
* Cookies management controls
* Help
* LanguageEnglishDeutschFrançais한국어日本語