Some time ago, a friend created for me a docker image with AWS credentials inside. He just pushed it to dockerhub.com and asked me to try it. He did not realise that he actually published secrets in the public repository.
You may find public repositories by calling the endpoint:
you can see query=aa, you may iterate via all combinations like "ab", "ac" ... "zz".
You can read information about concrete user accounts:
From this response, you may decide which repositories have the biggest potential to contain some secrets, for me, it should be quiet and fresh repositories, uploaded by mistake.
star_count = 0
pull_count < 100
is_automated = false
is_official = false
You may download the image:
docker pull $IMAGE_NAME
And later you may export content to a TAR file, but calling:
docker save -o output.tar $IMAGE_NAME
Later you can untar the file, find an application, for example, JAR, unzip it and search for secrets, for example, properties.
Of course, DockerHub.com has some limitations. A free account can pull only 200 images per 6 hours -> 800 per day.
If you pay $9 per month, you may pull 5_000 images per day.
Warning: I would expect dockerhub.com to store the IP addresses of clients, so it can be a starting point for law enforcement.
What can be found in the docker images on DockerHub? I can imagine some examples:
AWS root keys
deepl.com secret keys
openAI secret keys
My biggest problem is, how to monetize such secrets. As I have proven, mining Monero cryptocurrency on AWS is a joke (around 1% of the return of invested money). You may say, it is not your money, but to earn $1k, you need to use around $100k of AWS resources. For me, the profit is too small.
Do you have a good idea of how to monetize secrets found in the Docker images found on DockerHub.com? Let me know!
Let me know in the comments, what you think about this topic!
You can also write a direct message to me: email@example.com