Hacker News new | past | comments | ask | show | jobs | submit login

If you got an email you should:

- Change your password on https://hub.docker.com

- Check https://github.com/settings/security

- Reconnect oauth for Automated Builds

- Roll over effected passwords and API keys stored in private repos / containers

Quick take:

- Password hashes

- Github tokens

- Bitbucket tokens

- Your Automated Builds might need new tokens

Checking my github logs - It looks like they've known about this for at least a full 24 hours. Most people aren't going to have this looked at until Monday which kind of sucks. Hopefully there is more of a postmortem coming.

Is anyone from github able to comment on this as well?

There doesn't seem to be a way for us to tell if a repo was read by these keys over that time period.

Yesterday at 9pm PT my private Github repo produced this notification:

  The following SSH key was added to the foo/bar repository 
  by myorg-dockerhub-user:

  Docker Cloud Build

  If you believe this key was added in error, you can 
  remove the key and disable access...
I wonder if this is related? Dockerhub integration and its keys were still present on Github. In any case, I've revoked everything until the impact becomes clearer.

Can I complain a bit about GitHub? Why I can only authorize my entire GitHub account for third-party access? Could things be slightly better if the authorization is done at repository level?

GitHub provides a way for more granular third-party access: GitHub Apps. There, access can be set on a repository level [1]. E.g. Netlify can be configured as a GitHub app.

It seems like Docker Hub is implemented as an OAuth app [2], where these granular options are not available and you have to grant access to all your repositories.

[1] https://developer.github.com/apps/differences-between-apps/

[2] https://docs.docker.com/docker-hub/builds/link-source/

You can implement OAuth per repo if github wanted though, or alternatively can you grant access to a specific organisation? Not sure. The default should be per repo auth IMO.

I just looked at github OAuth scopes ( https://developer.github.com/apps/building-oauth-apps/unders... )

honest question, what's the point of using OAuth when the Authz is so coarse? Why not augment to have scopes per repo? Is it considered bad practice to have have a variable (repo name) as a scope?

IIRC the OAuth2-interfacing application needs to (or at least should) know beforehand exactly what to request access to, so if that's read/write access to all of the user's content, it's trivial. For the external application to know something specific like a particular resource is more complicated to deal with (especially with private/hidden content), so most OAuth providers don't provide that level of granularity. It can be done, it just requires more engineering than most (all?) off-the-shelf OAuth solutions provide, and it's more control than most users actually need.

Holy shit this is a crazy attack vector.

I found this snippet on Docker Hub's Linked Account Settings:

> Service user (or machine/bot account) suggested

> Attaching your personal GitHub or Bitbucket account to this Docker Hub organization will allow other organization owners to create builds from your private repositories. We suggest using a service user (also referred to as a machine user or bot account).

c.f.: https://docs.docker.com/docker-cloud/builds/automated-build/...

Seems worthwhile to do this, if you're an enterprise or otherwise have sensitive private repos. But I agree that it would be better to have an easier per-repo authorization system, since many users won't bother going through the hassle of setting up a service account.

> > Attaching your personal GitHub or Bitbucket account to this Docker Hub organization will allow other organization owners to create builds from your private repositories. We suggest using a service user (also referred to as a machine user or bot account).

> c.f.: https://docs.docker.com/docker-cloud/builds/automated-build/....

Did they remove this language from your link? I don't see it anymore.

Or to take it a step further, let me override which permissions I grant during the OAuth request.

In my case I don't even know why it needs read and WRITE access to ALL repositories. All I want is for it to build one public repository. It doesn't need any special permissions for that at all.

You can authorize specific orgs your account has access to vs your whole account if that's what you're looking for.

Also not sure what access permissions you need but deploy keys are repo level.


Machine users are another option.


Seems that dockerhub is using the github oauth permissions to do three things:

- retrieve a list of all repos to display in the autobuild setup page

- setup webhooks for the gh repo that should be built via dockerhub autobuild

- setup a deploy key for said repo, so that it can be cloned

I removed the dockerhub oauth on github side, after setting up autobuild. My builds on push to master and tag are still working. So it seems possible to remove dockerhubs write access to your github repos after the autobuild setup, which really seems to be a good idea.

At the moment I can't change the password. It fails with "Failed to save password" error, no more information.

EDIT: it finally worked, 4th attempt, and very slowly. Looks like something isn't working 100% as it should

EDIT 2: aaaand I can't login now with the new password. A password reset did work, but it looks like their password database is under some stress at the moment.

My guess is their auth system is/was under a ton of load.

Specifically to make the password database more secure, the generation of password hashes is very computationally intensive by design (e.g. that's the whole point of something like bcrypt vs. sha1)

Password systems really shouldn't be designed to handle a 10x or 100x load without some slowdown. If they could handle that, it means their password DB probably isn't as hardened as it should be.

Password reset worked for me. Trying to change it from the account page did not.

Same can't change password

I could as of 10 minutes ago

Yep - my "deleted by associated Oauth application" event was triggered 2019-04-25 20:12:25 -0400

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact