Old Apache Airflow leaks IT, health, cybersecurity industry secrets

Misconfigured Apache Airflow credential leak could cause massive compromise

Misconfigured instances can lead to the direct reveal of various secrets across industries

Security experts in cybersecurity company Intezer Labs Ltd have found misconfigurations in old versions of Apache Airflow. These issues could expose sensitive information across several major companies in the media, finance, manufacturing, information technology, biotech, e-commerce, health, energy, cybersecurity, and transportation industries. Airflow is known to support a vast variety of cloud services that now is at risk.

Researchers suggest that exposing Slack, AWS credentials could cause data leakage or weaken the system enough for attackers to gain further control. Exposed data could cause severe damage and violate customers' privacy. It is a significant leak as it impacts not only personal accounts but entire application framework instances. Basically, individual information is at risk right now but the leak could cause even bigger compromises in massive quantities moving forward.^[1]

As of right now, the misconfiguration flaws resulted in sensitive data leakage including thousands of credentials from popular platforms and services such as Slack, PayPal, and Amazon Web Services. The most common reason for credential leaks seen on Airflow was insecure coding practices. In another case of misconfiguration, researchers saw Airflow servers with a publicly accessible configuration file. Other examples included sensitive data and the improper use of the Connections feature.^[2]

Leakage is a direct consequence of delayed patching

Experts suggest that recently discovered threats come from delaying software updates. Several of now identified flaws were discovered back in 2015 but still aren't patched. Putting customer records and sensitive data out in the wild while exposing them is threatening not only companies reputation. It is illegal to put customers in such a situation due to security flaws resulting from procrastinated patching.

This kind of behavior could result in a hefty fine. E-commerce giant Amazon took a hit back in July when the company was issued the largest ever fine for data protection violations in Europe. Back then, Luxembourg's data protection authority commanded Amazon to pay a penalty of 746 million euros ($888 million) for violating the EU's strict data protection laws, known as the GDPR.^[3]

Amazon is scrutinized for the ways it uses personal customer data. Experts point out that a company's data processing policies violate privacy protections. It is speculated that these protections could even give the company an advantage over competitors operating within its marketplace. While the Airflow issue is related more to potential hack situations, putting customers in danger over companies' personal benefit seems to be common practice.

Security issues should be dealt with immediately

System patching could help in various threatening situations if done on time. Operating system (OS) patching is an important part of keeping IT systems and applications in the cloud or on-premise environments safe from malicious users that exploit vulnerabilities. Patches could fix a software bug, install new drivers, address new security vulnerabilities and stability issues, upgrade the software.^[4]

In the Apache Airflow case, patching is already too late now. Apache Airflow is an open-source platform designed for scheduling, managing, and monitoring workflows. The modular software is also used to process data in real-time, with work pipelines configured as code. Companies' goal is to provide software for the public good. It was established in 1999 and is funded by individual donations and corporate sponsors.^[5]