The internal tool that holds prod: Retool resource credential abuse
Retool apps connect to production with a stored, privileged credential, so reaching the app means querying prod without ever holding the database password. Here is how to contain it.
Retool internal-tool apps connect to databases and APIs using stored, privileged credentials, so the app itself holds standing access to production. Reaching the app is enough to query prod.
How the attack works
A Retool app backed by a production database resource is opened from a new host by an account not normally on it. The session runs an ad hoc query through the app’s resource connection and gets back customer records far beyond the app’s normal screens. Repeated queries page through large tables, using the resource’s standing privileges rather than any user-level access, and the resource turns out to use a shared high-privilege database account. The attacker never held the database password directly, because the resource connection carried it. In ATT&CK terms this is T1078, Valid Accounts, with T1552, Unsecured Credentials, and the data theft maps to T1213, Data from Information Repositories.
Why it works
The internal tool is a privileged proxy into production. Resources use shared, high-privilege standing accounts and apps can run arbitrary queries, so one credential grants broad reach.
How to fix it
The non-obvious move is that suspending the one user does not contain it, because the resource credential is shared and still grants prod access through any other path into the app. Rotate the resource credential to cut the standing access, then tighten the app and resource permissions to limit what any session can run. For the class fix, give resources least-privilege accounts, prefer per-user or database-level controls, restrict apps to parameterized queries, and inventory which apps hold standing prod credentials. Scope what was returned by joining the Retool query log with the database query history over the window.
Practice it
We built this as a GraphLattice Range scenario so teams can rehearse the over-scoped query, the rotate-the-resource-credential containment, and the framing that internal-tool access via a standing credential is direct data access.