Bitbucket Pipelines can leak client secrets when Secured Variables are exported into artifacts, enabling attackers to access AWS keys and other credentials. The post shows how secrets can flow from Bitbucket into plain-text artifacts like environment_variables.txt and potentially end up in public locations, with practical steps to reproduce and recommended mitigations.
#Bitbucket #SecuredVariables
#Bitbucket #SecuredVariables
Keypoints
- Secured Variables in Bitbucket are designed so administrators can set values that cannot be read in plain text, yet leakage can still occur via artifacts.
- Artifacts: copying a Bitbucket variable to an artifact (via the artifacts: command) can produce a plain-text .txt file containing secret values.
- Secrets can end up exposed on the public internet if artifacts are published to locations like S3 buckets or company websites.
- The leak can be reproduced by creating secured variables, exporting them to an environment_variables.txt file, and retrieving the artifact from pipeline history.
- Recommendations emphasize using dedicated secrets managers, reviewing artifact objects, and deploying code scanning throughout the pipeline lifecycle.
- The piece concludes that a single misconfiguration or keystroke can cause a slow, hard-to-track drip of secrets to leak through the pipeline.
MITRE Techniques
- [T1552.001] Credentials in Files – The article shows secrets being exposed in artifacts as plain text when copied from Bitbucket variables. Quote: “…the result will generate a .txt file with the value of that variable displayed in plain text.”
- [T1567.002] Exfiltration to Cloud Storage – Secrets end up in publicly accessible locations such as S3 Buckets or company websites. Quote: “publishe[d] to publicly available locations like S3 Buckets or company websites.”*
- [T1074.001] Data Staged – Secrets are exported into an environment_variables.txt file as part of pipeline execution. Quote: “copy all environment variables from Bitbucket to a .txt file called environment_variables.txt.”
Indicators of Compromise
- [File Name] environment_variables.txt – created by the pipeline to capture all environment variables, exposing secrets in plain text. Example: environment_variables.txt
- [File Name] bitbucket-pipelines.yml – the pipeline definition file that can trigger the export process. Example: bitbucket-pipelines.yml
- [File] .tar – potential archive that may contain exported secret components; note: extraction may be required. Example: data.tar
- [Domain] Public storage locations – locations like S3 buckets or company websites where artifacts could be exposed. Example: S3 bucket URL, corporate website
Read more: https://cloud.google.com/blog/topics/threat-intelligence/bitbucket-pipeline-leaking-secrets/