Shiba Inu (ticker: SHIB) is a crypto token with a market capitalization of $6.7B. Created in August 2020 by an anonymous person or group known as Ryoshi, it is currently the 14th largest token by market cap. It started off as a memo token, but it has evolved into a decentralized ecosystem, including a swapping protocol called Shibaswap.
On Aug 22, 2022, at 2:11 PM IST, PingSafe’s research framework discovered a leaked Shiba Inu AWS account credential on a public code repository. The credentials were valid for two days, post which they became invalid. This vulnerability severely exposed the company’s AWS account, which in our estimation, has the potential to cause serious security breaches, including but not limited to user fund theft, token embezzlement, disruption of services, etc. To protect the integrity of the company and as per our ethical hacking policy, the PingSafe team did not verify the precise extent of the breach.
In the immediate aftermath, we tried to find a bug bounty program or responsible disclosure policy to contact the Shiba Inu team, but to no avail. We also reached out to a few core developers in the Shiba project over Twitter/Telegram, since their public profiles are anonymous with no emails, but no response was received. Further technical detail on the vulnerability is furnished below.
We are publishing this blog post to enable the broader web3 community to become aware of the dangers of leaked secrets & cloud credentials on public source code repositories.
The reason for the leaked credential was committing AWS infrastructure keys on a public GitHub repository by one of Shiba’s internal developers.
This commit was done on the official Shiba Inu repository by one of their developers.
The above commit shows that credentials were indeed public and could have been abused by any attacker for two days. Credentials were invalidated post two days.
Update: The commit is now deleted by the Shiba team.
Screenshot with hardcoded credentials:
Leaked Snippet with AWS Keys:
To confirm that the credentials are valid, we hit AWS validate credentials request.
PingSafe team did a basic test to list users in the Shiba Inu AWS account.
To confirm that the key was valid, the PingSafe team called the List Instances API request and was able to successfully fetch the instances running in the account.
About the disclosure:
The PingSafe team tried reaching out to the Shiba team over Twitter/Telegram but failed to receive any response. Surprisingly, there was no responsible disclosure/bug bounty program in place to report such issues. Furthermore, the developer’s profiles were anonymous, with no public emails.