Bitbucket is a source control tool used by software teams to collaborate easily and work simultaneously on code bases.
And in some cases, public access to private repositories are temporarily enabled, this however leaves your company at risk of bad actors cloning your repository data without being authorized to do so.
It is always advisable to cross-check both your workspace and individual repository settings for misconfigured access settings.
Once you create a Bitbucket Workspace, your workspace gets an ID assigned (this is usually the name of the workspace, for example: mycompanyname
).
You can visit this URL unauthenticated to cross-check what anonymous users get to view:
https://bitbucket.org/{WORKSPACE_ID}
The workspace ID can be guessed or can be enumerated through search engines like Google with the use of search filtering/syntax:
site:bitbucket.org inurl:/workspace/projects
You'll be able to access each individual public repository by opening it on the Workspace overview page:
You can browse through the code and any previous commits:
For self-hosted Atlassian Bitbucket permises, locate the bitbucket.properties
file in the home directory of your Bitbucket instance and set feature.public.access
to false
.
On the cloud version, navigate to your repository settings:
And make sure that the "This is a private repository" option is checked, and save your changes:
Additionally, make sure your Workspace visibility settings are also set to private.
To do so:
- Navigate to your workspace
- Click on the settings icon and open Workspace settings
- And make sure the option "Keep this workspace private" is checked and save your settings:
Most code bases are meant to be private and leaving it publicly accessible can be destructive for some companies.
Most private code bases contain sensitive data, private code (obviously) and/or even clear text credentials.
All this data can be used for further exploitation by bad actors.