Bumping this one because now Airflow is in the news over it... https://www.bleepingcomputer.com/news/security/contractor-exposes-credentials-for-universal-music-groups-it-infrastructure/?utm_campaign=Security%2BNewsletter&utm_medium=email&utm_source=Security_Newsletter_co_79
On Fri, Mar 23, 2018 at 9:33 AM, James Meickle <jmeic...@quantopian.com> wrote: > While Googling something Airflow-related a few weeks ago, I noticed that > someone's Airflow dashboard had been indexed by Google and was accessible > to the outside world without authentication. A little more Googling > revealed a handful of other indexed instances in various states of > security. I did my best to contact the operators, and waited for responses > before posting this. > > Airflow is not a secure project by default (https://issues.apache.org/ > jira/browse/AIRFLOW-2047), and you can do all sorts of mean things to an > instance that hasn't been intentionally locked down. (And even then, you > shouldn't rely exclusively on your app's authentication for providing > security.) > > Having "internal" dashboards/data sources/executors exposed to the web is > dangerous, since old versions can stick around for a very long time, help > compromise unrelated deployments, and generally just create very bad press > for the overall project if there's ever a mass compromise (see: Redis and > MongoDB). > > Shipping secure defaults is hard, but perhaps we could add best practices > like instructions for deploying a robots.txt with Airflow? Or an impact > statement about what someone could do if they access your Airflow instance? > I think that many people deploying Airflow for the first time might not > realize that it can get indexed, or how much damage someone can cause via > accessing it. >
