Threat actors exploit plaintext AWS secrets found in Bitbucket artifact objects, revealing security vulnerabilities. Mandiant’s investigation into AWS secret exposure highlights the risk of sensitive data being leaked in plaintext to public repositories. This breach underscores the importance of robust security measures to safeguard confidential information from unauthorized access. When a variable is set as secured in BitBucket, they are stored in encrypted form to prevent public exposure of its values in the Bitbucket environment.
However, Mandiant discovered that artifact objects generated during pipeline runs can contain sensitive information, including secured variables in plaintext. As developers may not be aware that these secrets are exposed in artifact files, the source code may be published to public repositories where threat actors can steal them. Artifacts are defined in the bitbucket-pipelines.yml config file used to specify a Bitbucket project’s CI/CD processes.
One of the directives in these files is artifacts:, which are used to specify variables, files, and directories that are exported to artifact objects to be retained and used in further steps of the build and testing process. If those artifact files are then stored in a public location, a threat actor can simply open the text file and view all variables in plaintext, easily stealing authentication secrets that can be used to steal data or perform other malicious activity. Misconfiguring the ‘bitbucket-pipelines.yml’ file which defines the CI/CD pipeline, to include secured variables in logs or artifacts, is another possibility according to Mandiant.
