Researchers from have found a security flaw in an Apache Airflow instance which allows anybody with an internet connection to view database credentials. It appears that the instance belongs to the Howard Hughes Corporation. Our team spent several days trying to reach someone at the organization who would respond to the notification. Then on Dec 5th a message was sent to senior management and almost immediately public access was restricted and the database and it was no longer available online. This would logically conclude that it did indeed belong to them. We reached out to the Howard Hughes Corporation for comment or questions on multiple occasions, however they have not replied at the time of publishing.

The Danger of Leaving the Front Door Open

The real danger is that cyber criminals could have used the publicly exposed login and password to dig deeper in to their business data, financial, investment or who knows what else? As security researchers we never circumvent passwords or bypass administrative protections, but it is easy to imagine that someone could have accessed far deeper into the private data of  the Howard Hughes Corporation. We can only speculate what information may have been stored there, but considering the NYSE traded company has 1,000 employees and $1.1 Billion in revenue. It is possible that this database could have contained information that cyber criminals or nation states would like to have access to.

How Could This Happen?

Apache Airflow is an open-source tool for orchestrating complex computational workflows and data processing pipelines. Members of the research team discovered the unprotected server and has highlighted in the past that Airflow is wide open by default, organizations “must take the steps to secure the server during setup and configuration,” steps that “were obviously skipped by whomever set up this server”. By failing to adequately safeguard the server the Howard Hughes Corporation inadvertently exposed database credentials.

The Howard Hughes Corporation is a major real estate development and management company based in Dallas, Texas. Of course, the company was founded by Howard Hughes the well known American business magnate, investor,  pilot, engineer, film director, and philanthropist who died in 1976. It is unclear how long the database credentials were publicly exposed or if any 3rd party accessed the Apache Airflow instance.

We would recommend that any company or organization using Apache Airflow ensure that the configuration does not allow public access and to undertake regular security audits or penetration testing. Data leaks happen but preventive actions and having a plan can make a difference when something bad goes wrong.