Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen - Greg Castle, Google & Shane Lawrence, Shopify

less than 1 minute read

Abstract

In May, a security researcher reported a vulnerability in a Shopify microservice and demonstrated how it could be used to access keys from the Google Cloud metadata API. This could have led to a cluster takeover, for which Shopify awarded $25k through its bug bounty program. Shane will share his experience responding to the report, analyzing Kubernetes audit logs, and hardening the cluster to block the escalation path. Together, Greg and Shane will describe some example Kubernetes audit log queries that can help discover unusual activity in the form of Kubernetes API access, and assess the impact of credential exposure, such as in this report. The collection of example queries will be released for use by the Kubernetes community and we will also share some hardening best practices.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen - Greg Castle, Google & Shane Lawrence, Shopify

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google