Security

Misconfigured Apache Airflow servers leak thousands of credentials

Experts discovered many misconfigured Apache Airflow servers exposed online that were leaking sensitive information from prominent tech firms.

Apache Airflow is an open-source workflow management platform used by many organizations worldwide for automating business and IT tasks.

Researchers from security firm Intezer have discovered many misconfigured Apache Airflow servers exposed online that were leaking sensitive information, including credentials, from several tech companies.

“These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, we see exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.” states the post published by Intezer.

Experts analyzed the misconfiguration risks for organizations and their customers, they also provided details of the common causes for data leakage from vulnerable instances. Intezer researchers determined that most of the leaked credentials are exposed through insecure coding practices, many of the impacted instances have hardcoded passwords inside the Python DAG code.

Apache Airflow data leakApache Airflow data leak

Other misconfigured installs analyzed by Intezer had a publicly accessible configuration file (airflow.cfg) that contains secret information, including passwords and keys. Threat actors could also change the configuration causing unexpected behavior.

The credentials could also be leaked through the Airflow “variables” that are used across DAG scripts. Experts explained that it is quite common to find hardcoded passwords stored in these variables.

Threat actors could also abuse Airflow plugins or features to run malware that could be injected in variables.

“There is also the possibility that Airflow plugins or features can be abused to run malicious code. An example of how an attacker can abuse a native “Variables” feature in Airflow is if any code or images placed in the variables form is used to build evaluated code strings.” continues the analysis. “Variables are able to be edited by any visiting user which means that malicious code could be injected. One entity we observed was using variables to store internal container image names to execute. These container image variables could be edited and swapped out with an image containing and running unauthorized or malicious code.”

The research focused on older versions of Apache Airflow and highlighted the risks associated with the use of out-of-date software.

Most of the issues described in the report were affecting servers running Airflow v1.x, the good news is that recent versions of Airflow includes security features that mitigate the above issues.

“In light of the major changes made in version 2, it is strongly recommended to update the version of all Airflow instances to the latest version. Make sure that only authorized users can connect.” concludes the report. “Exposing customer information can also lead to violation of data protection laws and the possibility of legal action.”

“Disruption of clients’ operations through poor cybersecurity practices can also result in legal action such as class action lawsuits,”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Apache Airflow)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

5 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

7 hours ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

7 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

18 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

20 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

1 day ago