Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #42049
📄

Report #42049

Report Date
March 20, 2025
Status
Closed
Payout

Bug Report #25MAR117 (GCP Private Key Leaked on GitHub Repository)

‣
Report Info

Report ID

#42049

Report Type

Websites and Applications

Has PoC

Yes

Target

https://basin.exchange

Impacts

Ability to execute arbitrary system commands

Details

I have discovered that a private key for the service account associated with bean-analytics-data-writer@tbiq-beanstalk-analytics.iam.gserviceaccount.com has been publicly exposed on a GitHub repository. This key grants access to sensitive resources, and it should be rotated immediately to mitigate any potential security risks.

Steps to Reproduce

Visit the URL to see the leaked file: https://github.com/BeanstalkFarms/Beanstalk-Analytics/blob/fedefc69a6cc650988da472dd8bf2172d1efe20a/src_py/tbiq-beanstalk-analytics-bca7893d8291.json#L6

Leaked content:

Impact

The exposed private key poses a significant security threat, as it grants access to critical cloud resources. Unauthorized access to these resources could lead to data loss, service disruption, and unauthorized operations within the project tbiq-beanstalk-analytics.

Actions Taken

I did not perform further testing to avoid inadvertently affecting internal systems or resources. The private key was found to be valid, and it is possible that it may have been compromised.

Fix

Immediate Action: Rotate the exposed private key to prevent unauthorized access.

Proof of Concept

The private key in question was exposed publicly, and I have confirmed its validity by listing the active credentials using the gcloud command:

export GOOGLE_APPLICATION_CREDENTIALS="project.json"
gcloud auth activate-service-account --key-file=project.json
gcloud auth list

Output:

This command confirms that the service account bean-analytics-data-writer@tbiq-beanstalk-analytics.iam.gserviceaccount.com is active and authenticated, validating that the private key is indeed in use. I didn't test it further as it might harm internal settings or systems. Let me know if I need to test it further.

BIC Response

This exposure is known, and the credentials in question are not associated with any Beanstalk Farms account. Therefore we are closing the report and no reward will be issued.

{
  "type": "service_account",
  "project_id": "tbiq-beanstalk-analytics",
  "private_key_id": "bca7893d8291018eea9618c7ef5ff3de52ac9b73",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCbNezRYYsOOPZi\nQPr2fFGuTqLkv4fDt2qVEtivFu9cvVEYOXWcy/5TKzffXFd3oqLzf/DYzRDeahJl\nfwvk9ZJInCrWvzeLwRrIy6kTnND5OuSyIMiQptEVbS8KC3XGoxUT7o+IP1bJ2UuM\ni28xKhArF5x5DpzA8gE4XKzqD4q4c0NPgruNyEH/vdq45WHpCt1zE7FX5oiE5zOt\nhgLrluFgMtM3YEFC3MKBU2emDUHwVTjrNnvG/+kYfpu6nIKZDzMFBoZ0Q9q8eHCP\niy8ChJFxUldAOX6xST8ib49LrreWTAhJbkqbeDhJYbyyhWmOeQB+7NRsGBdno4iC\nylUjQC0xAgMBAAECggEAFahzsE/1MHngX5uDqYt1dmZAsrzLPBNHCyBDHkOMCRvd\nygySjdulVIOuWzuudOI77NCIkigjV3XjtUgCJ+PgksM/8xFhtd2vWB+bK0JxoqWG\nLhkHA7BTcrL2omcw+xPcqBhc7P0xph7tPOJkFK8y7GByFC5mz0G1y+CavFqI1+39\nwFV8IUywSs+4mcAtHTlLGISIjuJFoI2VxzHodumtalsNMhQ7bSVTYHThm4DKNSm2\nO6Rx+W0o5RE2Tpogs9/K5eU6fJfDhOzoGI6VTGxlCK9bE2VobD3o+cbcoUNxpGEd\nBG4WeTbVRp6LHP1H9qtU+mQXFBRIhTjxFxvWvf5RBQKBgQDYVcaHYOvRdXoVXl9+\nQBG94t76cggAPBdhiiqNpy+WO3Y9nDP4wnc/15Rr1sVsczqC3x4877A+qbs4rd4o\nl4GAPtMt1scuUJEBwEUJYiSWeNLz7c6WjPiHTpdnFc6nBgnQZ4zpP7NyKQ4bPWs5\n8opSm/jHFX4iIs3rYbjwPC+NVwKBgQC3qx97ydp2qBr5EoCL3IaQsKkjFLUA+BKh\nxYgzfNWUF+46tTHlT2o6BrR7+xtxxwJfrXU48CM7Li3rYg4uKxT4ERRYwplrbe+F\nuSsNqfUPhAGJQo9Np+c0aDbRyovc8tSVuqicwIlUhCgGPzQxdUPfhtMz4WkmE0Xq\nKmt0BhR8twKBgDnx77U/Pqrh/otOteFJI/dqlzMZ7A60Ccc0jOVYTKS+1JL4Deup\nmutcwQKJimPcEWYQgTbtNJX0PJOX7pOM0UEaktIKX1uGdPC1IUi8IvSy9D4mClnE\n9KS5ZlBURP/z3BkYQ2QOjfAcEw00zE2/K1GpOV+J4DkgfWt4x2KBnHMNAoGALkws\ne3++Wfq2EeLgFGFaak6d1AH8PmpKCA1K7++fxtzhaFsUYMFL/aSDCl2Z5WxM5OFM\nkzW1K83QNW1aNbkWaBGmF1m2YqYrooGyoJce9vJHkNn+VYzlcwhyCSANcXykqbmL\nlzfRZkSJ8kksVutAWLAbvRAs+TQSg5x9yZlewLECgYAW2PZR96pOxbFvgWnTUyMP\nkARmqQgy/8XXtI9KY38yqjQ9wDy7VQWwjECil2rpf8uMcOhDk0ZsoQVoofPkwcCv\nSKVOPnZKvIe/d1eCajwt/z18W03H+KhULbjXqwrvj+IoT+5k9/ATE1dNWgVBZ6oW\n2toQyJw/Q0Pc/5TEvtjFoA==\n-----END PRIVATE KEY-----\n",
  "client_email": "bean-analytics-data-writer@tbiq-beanstalk-analytics.iam.gserviceaccount.com",
  "client_id": "109301792576877008160",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/bean-analytics-data-writer%40tbiq-beanstalk-analytics.iam.gserviceaccount.com"
}
                           Credentialed Accounts
ACTIVE  ACCOUNT
*       bean-analytics-data-writer@tbiq-beanstalk-analytics.iam.gserviceaccount.com
        biquery-reader@origin-214503.iam.gserviceaccount.com
        firebase-adminsdk-r20zy@sapient-spark-312003.iam.gserviceaccount.com
        firebase-adminsdk-xnjov@db-ecommerce-a062c.iam.gserviceaccount.com
        gridcoder-backend-deployer@synclabd.iam.gserviceaccount.com

To set the active account, run:
    $ gcloud config set account `ACCOUNT`