Starbucks Devs Leave API Key in GitHub Public Repo:
One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users.
The severity rating of the vulnerability was set to critical as the key allowed access to a Starbucks JumpCloud API.
Vulnerability hunter Vinoth Kumar found the key in a public GitHub repository and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform.
[...] Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty.
Starbucks took care of the problem much sooner, though as Kumar noted on October 21 that the repository had been removed and the API key had been revoked.
[...] Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375.
(Score: 2) by ElizabethGreene on Saturday January 04 2020, @03:37PM (6 children)
How do you prevent this?
I put my passwords and whatnot in a separate file, manually check in a dummy/stub copy, and then put the real one in .gitignore. It's fragile, manual, a pain, and I'd love to have a better way. Thoughts?
(Score: 0) by Anonymous Coward on Saturday January 04 2020, @03:55PM
Have authentication files be located outside of the deployment location of your app?
(Score: 1) by pasky on Saturday January 04 2020, @04:31PM
I feel it's still not a completely solved problem.
Separate config file is the most common approach. If you need a more flexible way to override credentials, environment variables are popular. (But environment leaks through the whole process tree by default.)
Even if you do the most modern methodologies with GitOps and k8s + helm, sealing secrets (and keeping them in sync across services) is still way too much pain.
(Score: 4, Informative) by FatPhil on Saturday January 04 2020, @05:17PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by darkfeline on Saturday January 04 2020, @07:52PM (1 child)
Why do you even need to put production secrets in the same directory that you're storing version controlled code? Secrets should only be deployed to prod, and prod shouldn't be committing code. If it's a user tool being run out of the source tree, it should be storing secrets in the local OS keyring, e.g. GNOME keyring, not as a file in the source tree directory.
Join the SDF Public Access UNIX System today!
(Score: 2) by iWantToKeepAnon on Sunday January 05 2020, @10:24PM
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 2) by goodie on Monday January 06 2020, @02:08AM
Most CI solutions that handle deployments manage this through separate files and admin user/pass requirements to effectively gain read access to the file with the user info. At the end of the day it needs to be somewhere but it should never be written directly in a source file or in a main config file that ships with the code. Heck, put it in a .gitignore or something then to prevent this from happening by mistake.
(Score: 3, Insightful) by Mojibake Tengu on Saturday January 04 2020, @05:37PM (1 child)
More disturbing than a mere leak of some particular API key is the fact this key was to the production system/infrastructure.
Developers should never touch the production systems, they should have their own toy playgrounds separated.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 0) by Anonymous Coward on Monday January 06 2020, @02:47AM
You are halfway there. Developers need access to the test systems. Its not their fault if the company is too cheap to have a separate production system.
(Score: 0) by Anonymous Coward on Saturday January 04 2020, @06:07PM (1 child)
what a "coffee" company is doing futzing around with IT?
(Score: 1) by Ethanol-fueled on Sunday January 05 2020, @03:24AM
Seattle is known for both good coffee and IT, and is also known for being a city full of goddamn junkies. The offender was probably nodded off on heroin when they made the commit. Starbucks programmers keep 2 syringes of brown liquid in their desks at all times. The idiot who made the commit was fumbling for the "coffee" syringe and grabbed the "heroin" one instead while he was making comments about "cops=pigs" and "Antifa for life" in the source code.
(Score: 2, Insightful) by Anonymous Coward on Saturday January 04 2020, @06:52PM
Maybe it's not such a good idea to be using a public (i.e. someone else's) repository to store your company's intellectual property?