A security issue that surfaced in a mobile app recently highlights the need for developers to get a grip and stamp out one of the most obvious software development bugs: hard-coded credentials.
Steer offers a mobile app that lets schools track their pupils' mental health. Teachers enter data about children’s behavior, and the app predicts social and emotional problems. However, the company was recently forced to rewrite its app after an online researcher found credentials for an online testing account in the application's source code.
This is a common problem. So common, in fact, that it ranks on the Common Weakness Enumeration (CWE) list of common security errors. The CWE project crunches thousands of bug reports from the Common Vulnerabilities and Exposures (CVE) database and uses them to find the most common types of bug.
There have been many other cases of hard-coded credentials. Researchers have found them in the mobile apps used to control connected cars, in Western Digital's MyCloud network attached storage boxes, and in 'smart' thermostats which are anything but smart. Some developers have also compromised their own mobile apps by hard-coding encryption keys that are supposed to protect their users from network snoopers.
Just as dangerous is the uploading of credentials to code repositories like GitHub, where developers routinely deposit their secret keys for cloud service APIs , often pushing them to a repository as part of a general code update without even realizing it. In fact, researchers found secrets in over 100,000 GitHub repositories, with new ones leaking every day.
Don't assume that making a GitHub account private protects you, either. In one case, hacker Kyle Milliken stole 17.5m user credentials from online commenting service Disqus by credential stuffing one of its developers' GitHub accounts. He found the company's Amazon Web Services account credentials directly in its source code. Facepalm.
Such is the scope of that problem that specialist tools are appearing to identify these secrets so that developers can erase them. GitHub introduced a Token Scanning feature in October 2018, and Duo Security now provides secret-bridge, a tool to help detect secrets.
Developers need to be far more fastidious about what goes into their source code and repositories to avoid attackers taking over the cloud services that power their systems. After all, what's the point in trying to make your code secure in other ways if it promptly hands over the crown jewels?
