The 2020 Tokyo Olympics is one of the main topics of discussion around the world. The Summer Olympics as they are otherwise called were canceled last year due to the COVID-19 pandemic and this year they finally manage to take place. But what about security in their systems? We imagine that because this is an event that catches everyone's eye, security will be at a very high level! But it seems that things are not as we imagine.
According to security researcher Chris Vickery, who published a relevant tweet which you can see below, credentials from Amazon access keys on the websites and display systems of the Olympic Games were exposed. What are these systems? The researcher refers to Eurosport, which states in its description that it is the "home" of the Olympic Games and the well-known Discovery.
Δor also: US: China accused of ransomware attacks
But let's take a closer look at what it means to expose Access Keys (Access Tokens)
Usually, when we think of credentials, the first thing that comes to mind is a username and password that are widely used by individuals and other systems for authentication on systems. But in software, there is an additional type of security credential - an access key. Access keys can be public or private and, depending on the type of service, provide system authentication to third parties or internal systems. Access keys are often more accessible to individuals and have fewer controls / restrictions on their use.
Unfortunately, these access keys can be exposed by software developers or contractors, who may not have noticed that a repository settings have changed to public ones. A study by North Carolina State University found that more than 100.000 GitHub repos have leaked APIs or cryptographic keys.
Who is at risk?
Databases, cloud storage and other services are at risk from exposed keys, according to a study by Digital Shadows.
In 30 days, Digital Shadows scanned more than 150 million entities from GitHub, GitLab and Pastebin.
During this one-month study, Digital Shadows evaluated and categorized nearly 800.000 access keys and secrets.
More than 40% of these exposed credentials were for database stores, while 38% were for cloud providers such as Google, Microsoft Azure and Amazon Web Services.
Google Cloud Platform was found to have the most exposed keys, with 56,5% of the total. Microsoft Azure keys and SAS tokens account for 22,7% and 12,4% respectively. Although Amazon Web Services is the market leader, the keys exposed to these services accounted for only 8,3% of the total.
What could happen to the Olympics?
With the proper handling of these access keys, hackers could do almost anything: gain access to sensitive files, make changes to servers or manage to interrupt the broadcast of the Olympic Games! However, we are definitely talking about a very serious leak and we will keep you informed for additional information!