Flaw in Apache Airflow Servers Leaked Thousands of Credentials

Most common cause of credential leaks was unsafe encoding methods.

Experts from information security company Intezer discovered incorrect configuration settings in the popular open-source workflow management platform Apache Airflow. The errors have leaked sensitive information, including thousands of credentials from popular platforms and services such as Slack, PayPal, and Amazon Web Services (AWS).

In various scenarios analyzed by the researchers, the most common cause of credential leaks was unsafe coding techniques. For example, the Intezer team found various production installations with embedded passwords inside Python DAG code.

In another misconfiguration case, researchers found Airflow servers with a publicly available configuration file. The configuration file (airflow.cfg) is created the first time you start Airflow. It contains an Airflow configuration as well as passwords and keys. If the expose_config parameter in the file is mistakenly set to True, the configuration is made available to all users through the web server, which can now view secrets.

Other examples include sensitive data stored in Airflow Variables that can be edited by an unauthorized user to inject malicious code, and misuse of the Connections feature, credentials are stored in an unencrypted Extra field as JSON blobs.

The vast majority of issues were found on servers running Airflow v1.x from 2015, which are still used by organizations across all sectors.

Airflow 2 introduced many new security features, including a REST API that requires authentication for all operations. The newer version also does not store sensitive information in the logs and forces the administrator to explicitly confirm the configuration settings rather than using the default settings.