April 30, 2024 at 05:02PM
Docker removed 3 million imageless public repositories from Docker Hub following a discovery by JFrog researchers. The repositories were found to contain links to malicious websites. JFrog highlighted the need for increased moderation on the platform. The attackers exploited a policy loophole that allowed them to include links in description pages. JFrog recommended stricter account creation and repository rules to prevent future attacks.
In summary, researchers from JFrog have identified a significant security threat on Docker Hub, where nearly 3 million imageless repositories were found to contain links to malicious content, leading to large-scale campaigns to distribute spam and malware. These repositories were discovered over a five-year period, with associated metadata that was malicious in nature. JFrog also found that the threat actors took advantage of a Docker policy that allowed short text descriptions and metadata in HTML format, enabling them to easily include embedded links to spam, phishing, and malware sites.
The mass uploads of these repositories occurred in two distinct waves in 2021 and 2023, with various campaigns targeting users to download pirated content, cheats for video games, and free e-books, often leading to malicious file downloads or redirects to malicious sources. JFrog uncovered a third campaign where a threat actor uploaded 1,000 repositories to Docker Hub daily for three years, seemingly for a malicious purpose.
After informing Docker Hub of these attacks, a protection mechanism has been implemented to prevent embedding links to external resources in the description pages of imageless repositories. Moving forward, it is recommended that Docker implement restrictions on mass creation of accounts and enforce new rules on repository creation, such as prohibiting imageless repositories or restricting the embedding of external links by new users.
Overall, this revelation underscores the need for constant moderation on cloud-based registry platforms like Docker Hub and the importance of implementing stringent security measures to prevent such malicious activities in the future.