The team behind the Shiba Inu token reportedly leaked its AWS credentials for over two days in August.
Shiba Inu’s AWS credentials leaked
Security firm PingSafe published an article on September 8 detailing its findings. It said that on August 22, it discovered that a commit in Shiba Inu’s public GitHub repository displayed credentials related to the project’s Amazon Web Services (AWS) account.
The leak included several pieces of data, including AWS_ACCESS_KEY and AWS_SECRET_KEY, two environment variables that allow scripts to access an AWS account. In this case, the affected code was part of a shell script used to run validation nodes for Shiba Inu’s Layer 2 network, Shibarium.
PingSafe stated that this error “Was seriously exposing the company’s AWS account“and could have resulted in security breaches such as theft of funds, misappropriation of funds, and service interruptions.
PingSafe added that it tried to contact Shiba Inu and various developers via email and social media to inform them of the risk, but did not receive a response. The security company also tried to find a bug bounty program or responsible disclosure policy, but found no way to report the issue.
The leak is no longer a risk, as the credentials became invalid after two days. The Shiba Inu team also removed the commit containing the leak following the Pingsafe report, and more recent code commits do not contain the leaked data.
Shiba Inu was not a major target of the attacks. However, larger attacks have seen the coin stolen: SHIBA was one of the assets stolen in a $611 million attack on Poly Network a year ago, while an attack on Bitmart in December saw $32 million worth of SHIBA tokens stolen.
Shiba Inu is currently the 12th largest crypto-currency in terms of market capitalization, with a market cap of $7.5 billion.