Contractor for Universal Music Group exposes internal credentials
Kromtech Security Center experts discovered that Agilisium (a cloud data storage contractor for Universal Music Group) exposed UMGs internal FTP credentials, AWS configuration details (secret access key and password), along with internal source code details (SQL passwords) via two unprotected instances of Apache Airflow server.
Apache Airflow “is a platform to programmatically author, schedule and monitor workflows”. It is written in Python. By default, Airflow is wide open, or as they state in the first line of their documentation on Security “By default, all gates are opened.” This means that you must take the steps to secure the server. Those steps were obviously skipped by whomever set up this server. In skipping these steps they inadvertently exposed everything.
We were rather surprised to find these, especially with Agilisium, who boasts on their page “Agilisium achieves AWS Big Data Competency Partner status. Yet another milestone in our commitment towards clients success”. We are not sure we'd call placing your AWS Secret Key and Password, the internal FTP credentials, and SQL root password as public to be completely competent. It is a large blunder to make!
“Do not provide your access keys to a third party, even to help find your canonical user ID. By doing this, you might give someone full access to your account.”
While it is mainly up to you to ensure that your servers are properly secured, software should be designed from a security first perspective, especially in this day and age. In the early days of the Internet it was common to develop for ease of use over security, but we found that as the Internet grew this mistake of security second had long lasting and far reaching consequences. Most popular software packages had to backtrack to add security. Some are still working on it years later.
There is no excuse for putting security second in your development projects today. There are plenty of examples now showing how this approach fails. For example, we've reported many MongoDB instances that leaked data because security was not the first priority in development. MongoDB made many changes to catch up. A security first approach is always the best approach when dealing with sensitive data.
Universal Music Group was quick to respond when contacted and have have resolved the issue.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org