Cloud Security

Shiba Inu cloud credentials leaked on a public repository!

Shiba Inu developers leak AWS Access keys on a public code repository, resulting in a compromise of their infrastructure.

Anand Prakash

Written by Anand Prakash

September 8, 2022 | 3 min read

Shiba Inu (ticker: SHIB) is a crypto token with a market capitalization of $6.7B. Created in August 2020 by an anonymous person or group known as Ryoshi, it is currently the 14th largest token by market cap. It started off as a memo token, but it has evolved into a decentralized ecosystem, including a swapping protocol called Shibaswap.

On Aug 22, 2022, at 2:11 PM IST, PingSafe’s research framework discovered a leaked Shiba Inu AWS account credential on a public code repository. The credentials were valid for two days, post which they became invalid. This vulnerability severely exposed the company’s AWS account, which in our estimation, has the potential to cause serious security breaches, including but not limited to user fund theft, token embezzlement, disruption of services, etc. To protect the integrity of the company and as per our ethical hacking policy, the PingSafe team did not verify the precise extent of the breach.

In the immediate aftermath, we tried to find a bug bounty program or responsible disclosure policy to contact the Shiba Inu team, but to no avail. We also reached out to a few core developers in the Shiba project over Twitter/Telegram, since their public profiles are anonymous with no emails, but no response was received. Further technical detail on the vulnerability is furnished below.

We are publishing this blog post to enable the broader web3 community to become aware of the dangers of leaked secrets & cloud credentials on public source code repositories.

Appendix

The reason for the leaked credential was committing AWS infrastructure keys on a public GitHub repository by one of Shiba’s internal developers.

This commit was done on the official Shiba Inu repository by one of their developers.

The above commit shows that credentials were indeed public and could have been abused by any attacker for two days. Credentials were invalidated post two days.

Update: The commit is now deleted by the Shiba team.

Screenshot with hardcoded credentials:

Leaked Snippet with AWS Keys:

export aws_region=us-east-2

export aws_keypair=shibarium

export aws_sg_id=sg-0230031e0b30312dc

export aws_instance_type=t2.medium

export aws_ami_id=ami-02f3416038bdb17fb

export aws_instance_count_validator=1

export aws_instance_count_sentry=1

export aws_instance_tag_validator=validator

export aws_instance_tag_sentry=sentry

export aws_subnet_id=subnet-0c96df2553a35ae11

export aws_access_key=AKIAZEJ4AAZQK4UXQ226

export aws_secret_key=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

export aws_ebs_size=50

export aws_ebs_type=gp3

To confirm that the credentials are valid, we hit AWS validate credentials request.

PingSafe team did a basic test to list users in the Shiba Inu AWS account.

To confirm that the key was valid, the PingSafe team called the List Instances API request and was able to successfully fetch the instances running in the account.

About the disclosure:

The PingSafe team tried reaching out to the Shiba team over Twitter/Telegram but failed to receive any response. Surprisingly, there was no responsible disclosure/bug bounty program in place to report such issues. Furthermore, the developer’s profiles were anonymous, with no public emails.