How secure are container registries? Not very secure if you make them public and hope no one guesses the URL where they’re hosted. That’s the lesson from the recent Docker registry security breach at Vine.
The breach, which was reported in late July, allowed a security researcher to pull the entire source code for the Vine video hosting service from a Docker container.
The researcher did so by guessing the URL for the Vine container registry. Although the registry URL was not publicly advertised, the registry itself turned out to be public. That meant it did not require authentication.
As a result, once the URL was identified, the researcher could simply use the pull command on the Docker command line interface (CLI) to pull container images from Vine. One of the images he downloaded turned out to contain the full source code of the Vine app, as well as API keys and other private information.
Container Registry Security Lessons
This news is surprising because a third party (who, in this case, was not actually acting maliciously) was able to gain access to so much sensitive information from a major company with relatively little effort. Anyone with a basic familiarity of Docker and a decent talent for guessing subdomain names would be able to do the same thing.
At the same time, however, the event is notable because it suggests that one of the biggest security problems with containers may not actually lie with the technology itself, but rather the way people use it. In this case, responsibility for the security vulnerability falls squarely on Vine, not Docker. If the Vine container registry had simply been configured to be private, unauthorized access would have been much more difficult.
(One also wonders why the folks at Vine are storing their entire platform’s source code inside a container. There are much better ways to host source code—I mean, have these people not heard of GitHub? But I digress.)
In a way, that’s good news for Docker. It suggests that Docker containers now have become popular enough for people to start doing silly things with them in production—such as using them to host sensitive information inside public container registries. In other words, this is a healthy sign of Docker adoption.
Yet the news also highlights the need for better adhesion to best practices for Docker security if containers are going to be used widely in production. This is a challenge that any new type of technology faces as it goes mainstream, and Docker is now at that stage. If big-name companies such as Vine are going to use containers for real-world purposes, they need to understand and take seriously the security implications of containerized infrastructure.