While researching a misconfiguration in the popular workflow platform Apache Airflow, Intezer discovered several unprotected instances. These unsecured instances expose companies’ sensitive information across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, Intezer observed exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.


During the research process, Intezer also found:

  • Many misconfigured Airflow instances have exposed the credentials of popular services, including cloud hosting providers, payment processing, and social media platforms.
  • Exposed secrets such as user credentials can cause data leakage or provide attackers with the ability to spread further in the system.
  • Customer data exposed as a result of a data leak can lead to a violation of data protection laws and the possibility of legal action.


Researchers say that malicious code execution and malware can also be launched on the exposed production environments and even on Apache Airflow itself.


Intezer has notified the identified entities to fix their misconfigured Airflow instances as part of the responsible disclosure policy.


Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response, says, “This leak is extremely significant. Unlike more traditional credential leaks that impact individual user accounts, these credential leaks impact entire application framework instances. Threat actors might use leaked credentials to compromise entire databases containing sensitive user content. In some cases, threat actors might be able to use these credentials to compromise entire application containers and/or run their own containers using a victim’s billing information. In short, while user information wasn’t directly compromised through these leaks, they open the door to compromises of user data in massive quantities.”


Misconfigured cloud services and apps are a massive security risk to any organization, explains Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company. 


“These days, a simple misconfiguration could be the backstage pass that an attacker needs to access the entire infrastructure. Attackers are constantly crawling the internet to find misconfigured or unsecured services that they can easily access. One misconfigured service could give an attacker all they need to move laterally throughout the entire infrastructure - especially in large complex infrastructures where the attacker can move quietly without setting off any alarm bells,” Schless says. “This particular incident is concerning because of the number and variety of cloud services that Airflow supports. As one of the most popular open-source solutions in the world, the effects of the incident are far-reaching.”


“Managing the security posture of your cloud and SaaS apps should be a key aspect of any organization’s overall security strategy. Cloud access security broker (CASB) solutions help solve this issue by keeping an eye on the configurations of any cloud-based SaaS or IaaS app,” Schless adds. “These solutions also help identify anomalous activity that could be indicative of a compromised account or device through user and entity behavior analytics (UEBA), and data loss prevention (DLP) capabilities to keep your corporate data safe.”