Bitbucket Client ID

ID

bitbucket_keys

Severity

low

Vendor

Bitbucket

Family

Password

Description

Bitbucket is a Git-based source code repository hosting service owned by Atlassian.

Bitbucket keys are associated with a Bitbucket OAuth consumer. An access key is a pair (Access Client ID, Secret Key) where Client ID (like bcjD7P25UUCRd6dRwT) acts as the username and Secret Key (like 7c5PpGr7n1SV9P88bUv4Cb72SffrGOZ9) acts as a password.

Security

Any leakage of the Secret Access Key is critical. The BitBucket Client ID is less sensitive, but it should not be made public.

Examples

The following example shows a hardcoded Bitbucket access key’s Client ID (BITBUCKET_CLIENT_ID) in a python script:

BITBUCKET_CLIENT_ID = "bcjD7P25UUCRd6dRwT"

Mitigation / Fix

  1. Remove the Client ID from the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a 'secrets vault'.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to Bitbucket settings, then navigate to OAuth from the left navigation and click the Delete icon to delete the consumer.

  1. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/