Many Prometheus Endpoints Expose Sensitive Data


Designed to harvest real-time metrics from various endpoints, Prometheus enables organizations to keep a close eye on systems’ state, network usage, and the like. Close to 800 cloud-native platforms, including Slack and Uber, leverage the solution.

In January 2021, Prometheus added support for Transport Layer Security (TLS) and basic authentication, to prevent access to the captured metrics. However, numerous Prometheus endpoints that are accessible from the Internet were found to leak metric and label data, JFrog reveals.

Prometheus, the software company says, has long avoided built-in support for security features, to focus on monitoring-related features, which has resulted in the leak of many types of sensitive data, of which developers often had no clue.