Hack Allows Escape of Play-With-Docker Containers

secwatcher quotes a report from Threatpost: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack. 'The team was able to escape the container and run code remotely right on the host, which has obvious security implications,' wrote researchers in a technical write-up posted Monday.



Play-with-Docker is an open source free in-browser online playground designed to help developers learn how to use containers. While Play-with-Docker has the support of Docker, it was not created by nor is it maintained by the firm. The environment approximates having the Alpine Linux Virtual Machine in browser, allowing users to build and run Docker containers in various configurations. The vulnerability was reported to the developers of the platform on November 6. On January 7, the bug was patched. As for how many instances of Play-with-Docker may have been affected, 'CyberArk estimated there were as many as 200 instances of containers running on the platform it analyzed,' reports Threatpost. 'It also estimates the domain receives 100,000 monthly site visitors.'

Read more of this story at Slashdot.