There was some unauthorised access to the Docker Hub Database. tl;dr… user names, hashed passwords, and deploy tokens, taken.

If you have a docker hub account, change the password now. And while you are there, complain about their lack of 2-factor authentication. Also while you are there you should (out of caution) remove all deploy keys and rebuild all your containers.

Now, you may be thinking, what does this have to do with me? I don’t have a docker hub account, I don’t publish images. But you use them. Either directly (every time you type docker run you are likely using one from here), or as you use any cloud (e.g. Kubernetes).

Now, you are thinking, I’m not a developer, I don’t use that. But you still do, you see many things you use day-to-day (including this blog) are part of the chain. We are all inter-twined. One player makes a mistake, loses some authentication tokens, we are all put at risk.

What’s the nightmare scenario? Docker Hub found that 190K accounts were compromised in this attack. Was there a previous one that wasn’t detected? Did somebody use that to publish an improved version of some popular container? How bad could that be?

Well, very bad. Docker (all containers) are a set of layers. If you get control of a base-layer, you own a lot of things. Let’s say that someone managed to add some malware to Alpine or Ubuntu or Debian base images? The rest of the world would blissfully import that, and then run inside their own environment. No firewall would protect you (because you, the privileged user, did the deploy).

I predict there is an iceberg boiled frog affect here. The iceberg: for every attack we here, there are 10(000) we don’t. The boiled frog. We hear of little attacks here and there, they don’t immediately affect us, so our tolerance goes up, we stop listening. And one day bad things happen.

Share This

Share this post with your friends!