This report was fully disclosed on 11 February 2020
An IP address appearing to be managed by Orchard (formally Perch) and running “Apache Airflow” is accessible to remote unauthenticated users causing sensitive information disclosure and potentially allowing for denial of service and service interruption.
About Orchard: “Orchard launched in 2017 and was previously known as Perch. The company is headquartered in New York City, has 100+ employees and has grown 10x year over year. We have raised over $300 million in financing from top tier investors including: Firstmark, Accomplice, Navitas, and Juxtapose.”
Proof of Concept
The IP address in question is
126.96.36.199:8080. Simply opening the affected target in a web browser reveals sensitive information. Additionally no authentication is required to make modifications within Apache Airflow.
Viewing the affected target reveals several pieces of sensitive data, including but not limited to the following Google Cloud service account keys.
Additionally two other Google Cloud service account keys are exposed at the following URLS.
It is also important to note that in addition to sensitive information disclosure it is also possible to make modifications and perform actions as an administrative user on the Apache Airflow instance. This could lead to remote code execution, denial of service, or additional sensitive information exposure.
- Implement proper access controls.
- Revoke exposed credentials and tokens.
- Review access logs for all exposed services and credentials to ensure no unauthorized access has been detected.
- Implement a security and bug reporting information such as a security.txt file so security researchers can more easily report findings in the future.
- Review the following document Help keep your Google Cloud service account keys safe: taking charge of your security
At the time of publishing this report the initial issue has been resolved. Using an automated resource uptime monitor it was noted that the identified target became unresponsive at 2020-02-11 13:35 UTC, approximately 12 hours and 5 minutes after the initial disclosure email.
Response From Affected Party
Unfortunately, no response has been received from Orchard. This section will be updated if one is ever received.
- 11 February 2020: Affected Party Notified
- 11 February 2020: Affected Party Released Patch (+0 days)
- 11 February 2020: Report Published (+0 days)