Scribd
Upload
110 views

BugBounty - AWS S3 Added To My"bucket" List!

The document summarizes a security researcher finding that an Indian e-commerce company had misconfigured their AWS S3 bucket, allowing full public access. The researcher was able to download, upload, overwrite, and list files. Sensitive data like user resumes were exposed. The company fixed the issue after being notified.

Uploaded by

Praveen SP
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
110 views

BugBounty - AWS S3 Added To My"bucket" List!

The document summarizes a security researcher finding that an Indian e-commerce company had misconfigured their AWS S3 bucket, allowing full public access. The researcher was able to download, upload, overwrite, and list files. Sensitive data like user resumes were exposed. The company fixed the issue after being notified.

Uploaded by

Praveen SP
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

#BugBounty — AWS S3 added to my

“Bucket” list!
Avinash Jain (@logicbomb_1) Follow
Jan 16, 2018 · 2 min read

Hi Guys,

You might remember the Million Dollar Instagram Bug that allowed security
researcher Wes Wineberg to access every single image and account on
Instagram. This was only possible because he had gained access to Instagram’s
S3 bucket, where the company stored everything from source code to images.
In this particular blog, I would be explaining you “How miscon gured AWS
storage bucket can be a huge security risk”.

Recently during my bug hunting, I came across a miscon gured AWS S3


bucket of an Indian E-commerce Company which gave me full access to their
S3 bucket, allowing them to download, upload and overwrite les. Let’s dig
deeper into this and see how I was able to do so — So , while in search for

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
some security vulnerabilities in the website , I came across a career page from
where users can apply for the relevant jobs and upload their resume. I started
testing it out and found an endpoint (let’s name the company out as xyz )-

“https://xyz.s3.amazonaws.com/career%2Ftest.pdf” and there was no ACL


restriction set , any non-authenticated user could simply access any le and
below was the curl request —

curl -XGET ‘https://xyz.s3.amazonaws.com/career/test.pdf'

and the response was the content of test.pdf. Similarly , I discovered that
“PUT” method was enabled on the S3 bucket and I could simply write any le
onto the S3 bucket , it was publicly writable.

curl -XPUT -d ‘HACKED’ ‘https://xyz.s3.amazonaws.com/career/test.pdf'

I ran some bruteforcing over lename and I was able to read the resume
content of other users. :) , Now, I have to take this one level up , my next
target was to list down and read all the les that were available onto S3
bucket. I connected to s3 command line and run the following command

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
“ root@logicbomb~# aws s3 ls s3://xyz.s3.amazonaws.com”

and to no surprise, I was able to access the complete s3 bucket , all the
CVs/Resume of users (also there were more sensitive data and directories )
were publicly accessible and readable :) I tried some more commands -

root@logicbomb:~# aws s3 rm s3://xyz.s3.amazonaws.com/career/test.pdf

delete: s3://xyz.s3.amazonaws.com/career/test.pdf

and I was also able to delete the les also.

As a conclusion resides that Miscon gured S3 bucket may take your


organisation to expose sensitive data.

Mitigation — Advise you to promptly review your S3 buckets and their contents
to ensure that you are not inadvertently making objects available to users that
you don’t intend. For reference, you can read the below link —

Amazon S3 Security: master S3 bucket polices and ACLs

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Welcome to part 8 of my AWS Security Series. This week I shall be looking at
some of the security features around the…
cloudacademy.com

Report details-

08-Dec-2017 — Bug reported to the concerned company.

29-Dec-2017 — Bug was marked xed.

01-Jan-2018 — Re-tested and con rmed the x.

07-Jan-2018 — Awarded by company.

Thanks for reading!

~Logicbomb (https://twitter.com/logicbomb_1)

AWS Bug Bounty Penetration Testing Vulnerability Hacking

165 claps

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Avinash Jain (@logicbomb_1)
Follow InfoSec Write-ups Follow
Lead Infrastructure Security Engineer A collection of write-ups from the best
@groferseng | DevSecops | Part time hackers in the world on topics ranging
BugBounty Hunter | Acknowledged by from bug bounties and CTFs to vulnhub
Google, NASA, Yahoo, United Nations, machines, hardware challenges and real
BBC etc. life encounters. In a nutshell, we are the
largest InfoSec publication on Medium.
#sharingiscaring

More from InfoSec Write-ups More from InfoSec Write-ups More from InfoSec Write-ups
Writing a Password Protected Bind Ping Power — ICMP Tunnel How to Make a Captive Portal of
Shell (Linux/x64) Death

0x0FFB347 Nir Chako Trevor Phillips


246 488 280
Mar 8 · 5 min read Dec 17, 2018 · 8 min read Dec 18, 2018 · 6 min read

Responses

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Write a response…

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like