index 日本語

Internet of Tomohiro

If you found my articles interesting or useful, please donate using following links:

Security problem found in Google Colaboratory

I have found a security problem in Google Colaboratory that related to OpenSSH server and I reported it to Google. I got listed on the Honorable Mentions in the Bughunter.

This problem has been fixed. This bug was a problem in the case you run OpenSSH server on a Google Colaboratory's virtual machine and allow you to login to the machine through the internet. I think most of Google Colaboratory users don't do that, but I wrote a article about how to do that and there are people talking about it on the internet. I found a following code to run OpenSSH server on the Google Colaboratory and allow you to login to it.

By the way, this code generates a password using Python's random module. But it is not designed for security or cryptography. It should generate a password using secrets module. Please check following link for more details.

When I found the problem, OpenSSH server was installed in all Google Colaboratory's virtual machines. Following files are private host keys used for authenticating computers and they should be unique and secret.


You can see the content of these files by running following code in a cell of Colaboratory.

!cat /etc/ssh/ssh_host_ecdsa_key
!cat /etc/ssh/ssh_host_ed25519_key
!cat /etc/ssh/ssh_host_rsa_key

The problem is these private host keys were never changed. I reset a runtime, changed runtime type or login as another user, but the content of these files never changed. That means files need to be secret were actually public. Following site explains that if a attacker got a private host key, he can perform man-in-the-middle attacks.

That problem has been fixed by not installing openssh-server package. Private host keys are generated when openssh-server is installed and these files should have random and unique value. I still don't know why openssh-server was installed on Colaboratory's virtual machines.

Some people install all programs they want to use and copy whole file system as a image file so that they can easily make a machine with same file system. As private host keys are generated when installing OpenSSH server, if you create a image file after installing OpenSSH server without removing private host keys and publish the image, you would get the similar problem. You have to keep the image file secret or remove private host keys before creating a image file.

by Tomohiro