Researchers on Thursday reported on a leaked Shiba Inu AWS account credential on a public code repository, considered serious by security pros because for the two days the credentials were exposed they could have been abused by a hacker.
Pingsafe’s founder Anand Prakash wrote in a blog post that the reason for the leaked credentials was a Shiba Inu developer committing AWS infrastructure keys on a public GitHub repository.
Shiba Inu is a crypto token with a market capitalization of $6.7 billion. Created in August 2020 by an anonymous person or group known as Ryoshi, Shiba Inu now ranks as the 14th largest token by market cap, according to Prakash.
News that Shiba Inu had one of its AWS credentials on a public GitHub repository is troubling for Shiba Inu and any person or company that owns the tokens, said Karl Steinkamp, director at Coalfire.
Steinkamp said development of Shiba Inu or any other crypto-related project doesn’t differ from the development of any other non-crypto software product in that each requires a structured process for development and authorized personnel to push the code into development/test stages and into production.
“While it’s unknown if the credentials were testing credentials or meant to be production credentials, this represents a break in the internal process and likely violated Shiba’s software development lifecycle practices,” Steinkamp said. “Having AWS credentials in the open for two days presents a dangerous window of availability for any malicious attacker to perform any host of malicious activities, which may have included a full compromise of the environment, theft of tokens, and escalation of permissions into other AWS environments.”
Casey Bisson, head of product and developer enablement at BluBracket, said every company with software handles sensitive API keys and passwords, and too many of them are in code repositories. Bisson said too often, a secret in a repo is a secret shared, whether it’s because the repository was accidentally made public, because of insider threats, or because of code theft.
“Those secret keys and passwords connect to a company’s most important assets, including cloud resources, customer data, and financial transactions,” Bisson said. “We recommend every company implement automated scanning in their CI/CD process to identify secrets and other risks in code, and give developers an opportunity to correct them before they become a serious risk.”