Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default Helm charts and Kubernetes deployment templates, revealing that popular cloud-native applications like Apache Pinot, Meshery, and Selenium Grid are being deployed with critical security gaps.

These misconfigurations-often prioritizing convenience over protection-allow attackers to hijack databases, execute arbitrary code, and gain administrative control over clusters.

Apache Pinot, a real-time analytics database used for low-latency queries on large datasets, exemplifies the dangers of “default-by-convenience” configurations.

- Advertisement -

Microsoft’s Defender for Cloud team found that the official Helm chart exposes Pinot’s broker and controller services via Kubernetes LoadBalancer services without authentication.

This allows unrestricted access to Port 9000, where attackers can query sensitive datasets or manipulate cluster configurations through Pinot’s dashboard.

Recent incidents analyzed by Microsoft revealed attackers exploiting these gaps to exfiltrate data from organizations using Pinot.

Despite documentation noting the setup is a “reference” configuration, no warnings about inherent security risks are provided, leaving enterprises unaware of the exposure.

Meshery Open Registration Risks Clusters

Meshery, a platform for managing cloud-native infrastructure, introduces another vector for exploitation.

Its default Helm installation exposes the interface via an external IP and allows unrestricted user sign-ups.

Attackers can create accounts to gain access to dashboards showing cluster metrics, deployed services, and even deployment capabilities for new pods.

“This isn’t just about data leaks,” explains Yossi Weizman, Principal Security Research Manager at Microsoft. “Attackers who register as users can deploy malicious workloads, escalating privileges to take full control of nodes”.

While Meshery’s team advises network restrictions, the default configuration assumes internal use, a dangerous oversight for internet-facing deployments.

Attackers Target Selenium Grid

Selenium Grid, a tool for automated browser testing, has recently been targeted in widespread attack campaigns.

Though its official Helm chart avoids external exposure, Microsoft identified third-party GitHub templates using NodePort or LoadBalancer services to expose Selenium instances.

These setups, often copied from community repositories, lack authentication, allowing attackers to hijack browser sessions or deploy crypto-mining software.

Security firms like Wiz and Cado Security have documented cases where attackers exploited Selenium Grid to execute commands on underlying nodes.

“The combination of no authentication and internet exposure is catastrophic,” says Michael Katchinskiy, a Microsoft security researcher. “It turns a testing tool into a gateway for cluster takeover”.

The Path to Mitigation

Microsoft urges organizations to:

1. Audit Helm charts for unnecessary external exposure (e.g., LoadBalancer services) and replace them with ClusterIP where possible.
2. Enforce authentication even for internal services, using Kubernetes network policies or service meshes.
3. Monitor deployments for anomalous activities, such as unexpected user registrations or pod creations.

“Default configurations are a double-edged sword,” Weizman notes. “They simplify deployment but often ignore the threat model of real-world environments”.

With cloud-native attacks rising, proactive hardening of Helm charts is no longer optional-it’s critical to safeguarding data and infrastructure.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download