Researchers at Spectral discovered a security flaw in Kafdrop, a popular open-source UI and management interface for Apache Kafka clusters that has been downloaded more than 20 million times.
Kafdrop security flaw
Companies affected range from major global players to smaller organizations in healthcare, insurance, media, and IoT – basically anyone using Kafdrop with Apache Kafka, an open-source distributed event streaming platform, for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications.
The Kafdrop flaw has allowed the data from Kafka clusters – everything from financial transactions to mission critical data – to be exposed Internet-wide by simply giving anyone a UI to make it easy to review live Kafka clusters, without authentication.
“We can’t name any of the companies whose clusters we discovered, as we don’t want to give threat actors the edge, but these flaws are exceptionally widespread,” said Dotan Nahum, CEO at Spectral. “Furthermore, since Kafka serves as a central data hub, threat actors with assistance from a flawed Kafdrop, can infiltrate and exfiltrate data and manage the cluster as they see fit. They can connect as a Kafka subscriber to cause further havoc across the entire network.”
Not only does the Kafdrop security flaw expose secrets in real-time traffic, but it also provides authentication tokens and other access details that allow hackers to reach the companies’ cloud providers, such as AWS, IBM, Oracle, and others, on which Kafka clusters are often deployed.
Kafdrop also provides insights into a cluster’s layout and topology, revealing hosts, topics, partitions, and consumers and enables sampling and download of live data as well as topic creation and removal.
“Misusing Kafdrop allows threat actors to access the nervous system of an entire company, revealing customer data, transactions, medical records, internal system traffic, etc. Immediate mitigation is critical,” said Nahum.
Addressing the Kafdrop flaw
Upon discovery of the flaw, Spectral immediately contributed an authentication code addition back into Kafdrop.
For companies who haven’t yet added the authentication code, they can address the Kafdrop flaw by either taking down their Kafdrop UIs or redeploying them behind an app server like Ngnix, using an active and configured authentication module.
Spectral recommends that in order for companies to protect themselves from such security mistakes leading to breaches, they should scan not only code, but also configuration, infrastructure and data horizontally across the complete SDLC.