Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact

TL;DR

This study analyzes a large dataset of container images to reveal that a significant percentage contain private keys and secrets, exposing security vulnerabilities and active attack surfaces, and discusses methods to prevent such leaks.

Contribution

It provides the first large-scale analysis of secret leakage in container images and proposes detection methodologies to mitigate this security risk.

Findings

8.5% of images contain secrets

Over 52,000 private keys and 3,158 API secrets found

Leaked keys are actively used in the wild for authentication

Abstract

Containerization allows bundling applications and their dependencies into a single image. The containerization framework Docker eases the use of this concept and enables sharing images publicly, gaining high momentum. However, it can lead to users creating and sharing images that include private keys or API secrets-either by mistake or out of negligence. This leakage impairs the creator's security and that of everyone using the image. Yet, the extent of this practice and how to counteract it remains unclear. In this paper, we analyze 337,171 images from Docker Hub and 8,076 other private registries unveiling that 8.5% of images indeed include secrets. Specifically, we find 52,107 private keys and 3,158 leaked API secrets, both opening a large attack surface, i.e., putting authentication and confidentiality of privacy-sensitive data at stake and even allow active attacks. We further document that those leaked keys are used in the wild: While we discovered 1,060 certificates relying on compromised keys being issued by public certificate authorities, based on further active Internet measurements, we find 275,269 TLS and SSH hosts using leaked private keys for authentication. To counteract this issue, we discuss how our methodology can be used to prevent secret leakage and reuse.