Snowflake Password in URI

ID

snowflake_uri

Severity

critical

Vendor

Snowflake

Family

Password

Description

Snowflake is a Data Cloud provider, offering data storage and analytics services. Authentication credentials used in the different tools (SnowSQL CLI, database drivers …​) are based on an account ID, a username and a password.

Snowpark is a library for accessing the Snowflake data services from different programming languages.

This detector looks for hardcoded passwords in Snowflake connection URIs.

The credentials can be inserted in the Snowflake URI. This is a bad practice, as the username and password can be passed to the driver without encoding then into the connection URI.

Security

Any hardcoded Snowflake password is a potential secret reported by this detector.

Some Snowflake customers had in 2024 a massive data breach when info-stealer malware exfiltrated Snowflake credentials from the affected accounts. Leaking Snowflake credentials make even easier the threat actors' workings.

Examples

# A connection URI may contain the password encoded
connection_uri=jdbc:snowflake://root:P4ssw0rt!@host.us-east-12.snowflakecomputing.com/my_database

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require resetting the password for the affected account and user. Example: ALTER USER <user> RESET PASSWORD.

  2. Remove the Snowflake Password from the connection URI and change your code or command call to pass the password without hard-coding it.

  3. Check access logs to ensure that the secret was not used by unintended actors during the compromised period.

  4. Try to get the credentials from a secret vault or similar mechanism, instead of hard-coding the credentials in the Snowflake URI.

  5. Consider using multi-factor authentication, at least for admin users and users with access to sensitive data: follow the recommendations given in Identifying Non-MFA Users and Enabling MFA.

  6. As an additional security mechanism for mitigating credential leaks, you may also restrict the access to a given whitelist of IP addresses via a Network Policy.

Reference