Deployment is something a lot of companies still struggle with. We talked about the issue with Kubernetes being deployed insecurely a few weeks ago in a blogpost and how the kubernetes pods are being hijacked to mine for cryptocurrency.

This week we look at something different but still related to deployments and exposing things to public that should not be.

One tweet from @svblxyz (whom we would also like to thank for all the help given to us on reviewing this post and giving tips on things to add) showed us an interesting google dork which made us wonder, what does this look like for IP adresses vs domain/services focused (as google search is).

So we launched a scan using our distributed platform, as simple as:

> curl https://api.binaryedge.io/v1/tasks -d '{ "description": "HTTP Worldscan .env", "type": "scan", "options": [{ "targets": ["XXXX"], "ports": [{ "modules": ["http"], "port": "80", "config": { "http_path": "/.env" } }] }] }' -H 'X-Token:XXXXXX'

After this we started getting the results and of course multiple issues can be identified on these scans:

Bad Deployments - The .ENV files being accessible is something that shouldn't happen - there are companies exposing this type of file fully readable with no authentication.

- The .ENV files being accessible is something that shouldn't happen - there are companies exposing this type of file fully readable with no authentication. Weak credentials - Lots of services with a username/password combo using weak passwords.

Credentials and Tokens

Lots different types of Service Tokens were found:

AWS - 38 tokens

Mangopay - 9 tokens

Stripe - 89 tokens

Pusher - 1600 Tokens

Other tokens found include:

PlugandPlay

Paypal

Mailchimp

Facebook

PhantomJS

Mailgun

Twitter

JWT

Google

WeChat

Shopify

Nexmo.

Bitly

Braintree

Twilio

Recaptcha

Ucloud

Firebase

Mandrill

Slack

Sentry.io

Shopzcoin

Many of these systems involve financial records/ payments.

But we also found access configurations to Databases, which potentially contain customer data, such as:

DB_PASSWORD keys: 1161

REDIS_PASSWORD keys: 801

MySQL credentials: 946 (username/password combos).

Looking at the passwords being used the top 3 we see they all consist of weak passwords:

1 - secret - 93

2 - root - 33

3 - adminadmin - 24

Other weak passwords found are:

password

test123

foobar

When exposed tokens go super bad...

Laravel

Something that is also very dangerous is situations like the CVE-2018-15133 where if the APP_KEY is leaked for the Laravel app, allows an attacker to execute commands on the machine where the Laravel instance is running.

And our scan found: 300 APP_KEY Tokens related to Laravel.

One important note to be taken into account, we looked only at port 80 internet wide for our scan. The exposure on this can easily be much higher as other web apps will surely be exposing more .env files!

Our Enterprise customers can also use the on demand scans feature to verify all of their IP addresses and domains by doing a request as seen on the beginning of this blogpost using the HTTP module.