PRP: Secret extractor for DataBricks User Account OAuth2 Client Credentials

[0xXA]

• Secret name: DataBricks User Account OAuth2 Client Credentials
• DataBricks Explained:
  • What is DataBricks ?

   Databricks is a cloud-based data & AI platform built on top of Apache Spark.
   It’s designed to help companies store, process, analyze, and build machine learning models using massive amounts of data.
   Think of it as a workspace where data engineers, data scientists, and analysts all work together on big data.
   
   It runs on top of cloud providers like: AWS, Azure, and Google Cloud.
   Companies use Databricks for Big Data Processing, Data Warehousing & Analytics, and Machine Learning & AI.
  

  • What type of accounts are there in DataBricks ?

   There are two types of accounts that are used for authentication:
  
   	User account: For interactive CLI commands and API calls.
   	Service principal: For automated CLI commands and API calls without human interaction.
  

  • Does DataBricks OAuth Client Credentials have a specific format ?

   DataBricks OAuth2 Client Credentials regardless of User Account or Service Principal have the following format:
   	CLientID is UUID like string
   	Client Secret begins with a "dose" prefix followed by an Alphanumeric String. In concret regex terms: dose[a-zA-Z0-9]
  

• Risk in exposing the secret:

   Leaked OAuth credentials can be used to generate a PAT, which is basically account takeover via API. Depending on the token owner's permissions, an attacker may be able to:
   Access Sensitive Data (customer's private data), Steal Intellectual Property (source code), Destroy or Corrupt Data,
   Run Malicious Workloads, and Move Laterally in the Cloud (S3 and GCS buckets).
  

• Validation method, if any:

• Send a POST request to /api/2.0/token/create endpoint with Workspace URL below to as host validate the secret:
  https://accounts.cloud.databricks.com // For AWS
  https://accounts.gcp.databricks.com // For Google Cloud
  https://accounts.azuredatabricks.net // For Microsoft Azure
  One must also include this in the header: OAuth2 Client Credentials and Account id
  We must note that Account id is only required for User Account authentication.
• If the response code is 200 or 400 or 401, then it's a valid token

• Resources:
  • AWS DataBricks Documentation
  • Token Creation Endpoint Documentation
  • GCP DataBricks Documentation
  • Azure DataBricks Documentation
  • AWS DataBricks Account Type & Authentication Documentation
  • GCP DataBricks Account Type & Authentication Documentation
  • Token Creation Endpoint Documentation

[github-actions]

Welcome to the OSV-SCALIBR patch reward program!
Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.
Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.
~The OSV-SCALIBR PRP team