Bitbucket OAuth Access Key

ID

bitbucket_access_token

Severity

critical

Vendor

Bitbucket

Family

Access Key

Description

Bitbucket is a Git-based source code repository hosting service owned by Atlassian.

Integrations and add-ons can use OAuth 2.0 to access resources in Bitbucket, as explained in Use OAuth on Bitbucket Cloud.

Bitbucket keys are associated with a Bitbucket OAuth consumer. An access key is a pair (Key ID, Secret) where Key ID (like bcjD7P25UUCRd6dRwT) acts as the username and Secret (like 7c5PpGr7n1SV9P88bUv4Cb72SffrGOZ9) acts as a password.

Security

Any leakage of the OAuth Secret is critical. The Key ID is less sensitive, but it should not be made public.

Leakage of a BitBucket client secret is critical: any bad actor may create a phishing authentication page, identical to the original one, to grab bitbucket credentials, and then use them to add malicious code in your code repositories, or download source code from your private repositories.

Examples

The following example shows a hardcoded Bitbucket access key (id and secret) in a python script:

BITBUCKET_CLIENT_ID = "bcjD7P25UUCRd6dRwT"
BITBUCKET_CLIENT_SECRET = "7c5PpGr7n1SV9P88bUv4Cb72SffrGOZ9"

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to Bitbucket settings > Workspace settings, then navigate to Apps and Features > OAuth consumers from the left navigation, select the consumer and click from the '…​' selector the Delete option to delete the consumer.

    As a shortcut, you may open directly the https://bitbucket.org/WORKSPACE/workspace/settings/api, using your workspace name instead of WORKSPACE

  2. Remove the Access Key from the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a secrets manager (also known as secret vault).

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference