Atlassian Bitbucket is a web-based version control repository service for source code and development projects. In May 2024, Mandiant discovered that Atlassian Bitbucket artifacts could unintentionally leak plaintext authentication secrets. This vulnerability poses a significant risk, as sensitive information stored in Bitbucket's 'Secured Variables' can be exposed in artifact objects generated during pipeline runs. Atlassian has acknowledged the issue and emphasized the importance of its customers following security best practices.
Read on to learn more about the Bitbucket leak and how Vorlon can help protect your environment from this vulnerability.
Details of the Leak
In a recent security alert, Mandiant revealed a critical vulnerability in Atlassian Bitbucket, a popular web-based version control repository. While investigating AWS account breaches, Mandiant discovered that Bitbucket's 'Secured Variables' were being exposed in plaintext within artifact objects created during pipeline executions. The issue arises when secured variables, intended to remain encrypted, are inadvertently included in plaintext in artifact objects if developers use commands that save all environment variables, including the secured ones.
Data Involved
The exact number of affected records is unclear, but the exposure's scope is significant due to Bitbucket's widespread use among development teams globally. Secured Variables in Bitbucket, often containing sensitive data such as API keys, authentication tokens, and passwords, were found in plaintext in publicly accessible artifact objects. This exposure could potentially affect any Bitbucket Pipelines project without adequate security measures.
Atlassian acknowledged the problem and advises that its customers should use dedicated secret management tools and implement thorough reviews and code scanning to prevent such exposures.
This advice is good, but not great and that is largely due to the fact that their recommendations fall entirely to those in development and product. This advice falls short for the SOC, who is ultimately charged with monitoring and managing the overall security of the organization.
Response from Atlassian
Atlassian responded promptly to Mandiant's findings. They acknowledged the vulnerability and highlighted that printing secured variables to files during pipeline builds goes against recommended security practices. Atlassian urged users to follow best practices, including using dedicated secret management tools and implementing secret scanning. They reassured users that Bitbucket encrypts pipeline variables and masks their output in logs to prevent accidental leaks, but developers should still be cautious about their configurations.
We appreciate the reassurance, and suggest customers “trust but verify” by continuously monitoring the usage of all your secrets for abnormal behavior.
Additional Insights
This incident reminds us that even sophisticated tools like Bitbucket can have vulnerabilities if not used correctly. It underscores the importance of proper secret management in CI/CD processes. The incident also highlights the necessity for SOC teams to not solely rely on development teams to practice proper security practices, such as regular code and artifact reviews. SOCs need to adapt and use specialized solutions, instead of relying solely on built-in features of CI/CD platforms. Solutions such as Vorlon can provide that proactive monitoring of your third party applications and how after an event like this, a compromised secret is being used.
Atlassian's proactive approach and transparent communication have been commendable, but this event also serves as a critical learning point for the development community. Ensuring that best practices are followed and leveraging additional security tools can significantly mitigate such risks.
For more detailed information on this incident, refer to the original article from the great Bill Toulas at BleepingComputer.
How Vorlon Can Help
Too frequently, companies rely on their vendors to monitor and secure themselves and their legal agreements to recoup financial losses in the event of an incident. When a breach occurs, it can be weeks or months before you receive a notification from your provider. In a vulnerability like this with Bitbucket, bad actors can leverage the secrets Bitbucket has exposed without a proactive solution like Vorlon and make seemingly “valid” calls to your applications. This can result in hefty fines for compliance violations, and the longer this goes unnoticed, the larger those fines can become.
To learn more about how Vorlon can help, request a demo or view our latest webinar on demand.