Uploaded image for project: 'Sourcetree for Windows'
  1. Sourcetree for Windows
  2. SRCTREEWIN-13840

Use of BitBucket App Password in Source Tree

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • None
    • Bitbucket, Git
    • None

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Hi Atlassian,

      I'm sure you're already aware but would like to bring to your attention the use of Bitbucket App Passwords in Source Tree as a security risk. I'd call it a high security risk because the app password is needed every time we do a git clone and is immediately visible in plain text upon pasting it behind the username. Further to that, after each git clone, in the settings of the project in source tree, you can actually see the full app password in plain text as well. The plain text app password is visible even on workstations with only standard user access. Meaning that even though our environment is setup where all the devs are standard users (instead of local admin users), an attacker who has successfully got into one of our dev workstations (especially if they are familiar with Source Tree), can actually grab the app password in plain text, save it somewhere alongside the path, setup the same path on their Source Tree on their workstation with that app password and start doing commits, push, pulls etc as that user. If that user uses the same app password for each of their project, then essentially and attacker could use that same app password to do git clones from several projects. If that user uses different app passwords for each of their project, then they might not be aware if an attacker has compromised one of their app passwords to do git clones for whichever project. All this pretty much defeats the purpose of turning on multi-factor authentication. 

      If there is a better way or more best practice way to authenticate from source tree to Bitbucket (or if our company is just using app passwords wrong entirely), I'm more than happy to hear how we should be doing it instead and push out a new implementation to our devs. But as is, I couldn't figure out a sustainable way to authenticate with Source Tree apart from using app passwords. Have tried using ssh for authentication but that broke after just one day of testing. 

      Microsoft has plans to deprecate basic authentication and legacy authentication (this year I believe) which to me means that big corps will start moving away from basic authentication, legacy authentication, app passwords entirely eventually. I would like to know if there are plans to build 2FA authentication into the Source Tree app when using with Bitbucket in the near future as that would be absolutely critical security wise I would think. 

      Regards,

      Brandon Chuah

      Attachments

        Activity

          People

            Unassigned Unassigned
            d4684f6baa39 Brandon Chuah
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: