Read the original article: ContainerDrip, Another Example of Why HTTP Basic Authentication Is Flawed
The latest exploit in the series of issues with cloud infrastructure software is called “ContainerDrip” (CVE-2020-15157). In some cases, it can cause you to leak your registry secrets to an attacker. The attack is actually a kind of secret or password leak using request forgery. Your client unintentionally makes an HTTP API request to the attacker’s endpoint where this request contains the container image registry secret. In this post, I want to point out the bigger underlying problem, but first the attack.
In a nutshell, when you decide to pull a container image, you download its manifest file first – which describes how the container image actually looks. Container images are made of file system layers, and the manifest file tells you where you can download these layers one-by-one, based on URLs.
Read the original article: ContainerDrip, Another Example of Why HTTP Basic Authentication Is Flawed