Skip to content
INSECURE BY DEFAULT

Thousands of servers found leaking 750MB worth of passwords and keys

Leaky etcd servers could be a boon to data thieves and ransomware scammers.

Dan Goodin | 60
Credit: Mike Pratt
Credit: Mike Pratt

Thousands of servers operated by businesses and other organizations are openly sharing credentials that may allow anyone on the Internet to log in and read or modify potentially sensitive data stored online.

In a blog post published late last week, researcher Giovanni Collazo said a quick query on the Shodan search engine returned almost 2,300 Internet-exposed servers running etcd, a type of database that computing clusters and other types of networks use to store and distribute passwords and configuration settings needed by various servers and applications. etcd comes with a programming interface that responds to simple queries that by default return administrative login credentials without first requiring authentication. The passwords, encryption keys, and other forms of credentials are used to access MySQL and PostgreSQL databases, content management systems, and other types of production servers.

Collazo said he wrote a simple script that ran through the 2,284 etcd servers found in his Shodan search. Using the query GET http://:2379/v2/keys/?recursive=true, the script was designed to return all credentials stored on the servers in a format that would be easy for hackers to use. Collazo stopped the script after it collected about 750 megabytes of data from almost 1,500 of the servers. The haul included:

  • 8,781 passwords
  • 650 Amazon Web services access keys
  • 23 secret keys
  • 8 private keys

"I did not test any of the credentials but if I had to guess I would guess that at least a few of them should work and this is the scary part," Collazo wrote. "Anyone with just a few minutes to spare could end up with a list of hundreds of database credentials which can be used to steal data, or perform ransomware attacks."

Researcher Troy Mursch told Ars that he independently verified the findings and believes the Internet-exposed etcd servers pose a serious concern for anyone operating one. He also posted an image of one result he got from his own query sent to an open database. The image showed a password that provided root access to a MySQL database. The exposed etcd server wasn't the only example of poor security practices. As the image above shows, the MySQL password itself was "1234."

It's possible that multi-factor authentication and other security measures will prevent many of the credentials from being used on their own to gain access to the servers they protect. Still, as Collazo said, if even hundreds of credentials are sufficient to gain powerful administrative access, they will provide a valuable opportunity for data thieves and ransomware scammers.

Mursch and Collazo said that whenever possible, etcd servers shouldn't be exposed to the Internet, and admins should change their default settings so the servers pass credentials only when users authenticate themselves. Collazo also said etcd maintainers should consider changing the default behavior to require authentication.

Listing image: Mike Pratt

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
60 Comments
Prev story
Next story