Obtained a bunch of sensitive data in just few steps — Hacking
During my hacking activity, i always try to learn the Apps business process / flow. I’ll start with the flow one by one. For example : if my target was an e-commerce platform, then i will start by seeking Bug/Vulnerability on “checkout flow — from choosing goods to be buy until it’s successfully checkout”. And if you can’t find Bugs/Vulnerability inside you can try it from outside “other services used by the system”.
This is our main topics today “services called AWS”.
But before we deep dive into AWS i want you to read my story first laaa, come on….. every articles has their own Bridging right ? haha
My target now was Company XYZ which is e-commerce platform. After one week play around with their API “following their apps flow one by one” i still got nothing there. So i’ll try to find another ways, luckily for me i have friends that’s also my mentor. He told me if you find nothing inside and why not just try the outsides attack “i think their system using AWS”. Such a good clue yay!.
let’s talk a bit about AWS.
Amazon Web Services (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis.
Mostly, company uses this services to make it easier for them to store any user data without invest in real server. But, sometimes they always forget to setup this environment properly and it can cause unauthorized user get in to their Bucket/Folder/Cloud Storage.
Now, we’re started to test all of their AWS services. In my first scanning, i found 3 url that represent their cloud storage. I try to confirm to my mentor, have you test it ? and he said “yes”. Well okay, we try to look again maybe he missed something. After few hours finally i found one another url. Again,i try to confirm to my mentor and he said “i’ve never tested it”. ahhhhhh finally wkwkwkw.
On AWS testing, basically we just need to hit certain url to see if its return all file stored. I try the manual method and it’s seems this url allow anyone to get in to their bucket. it will looks like this :
so i fired up my tools and try to do penetration test to this url. You can easily dealing with AWS services using several command such as :
- LS (to list all file stored) ->ex: aws s3 ls s3://infosec-startup.com/
- CP (to download sensitive files from the s3 bucket to your system) ->ex: aws s3 cp s3://infosec-startup.com/credenitals.txt
- RM (to remove/delete any contents from bucket) -> ex: aws s3 rm s3://infosec-startup.com/credenitals.txt
- SYNC (to download all files to your system) -> ex: aws s3 sync s3://infosec-startup.com/
I try to tested all command and it seems that the command allowed is only
(ls, cp, and sync).
Then i just directly download whatever files inside and see if it’s contain sensitive data or not. and the result will looks like this :
I just realized that all file stored is file without extension. So, i just try to open it using file opener such as pdf and boom result will looks like this :
We just spotted the cloud storage with all invoice transaction (contains full name, email, user address, amount, phone number, etc) inside and we’re able to download it. “Critical”
Further more when i do sync command i’ll try to filter it using certain extension it returns more sensitive data “their monthly report sales data “ BOOM:
It’s contains sales data per “channel, order type, region etc”:
after all of this we’re a white hat so i try to report my findings to their management. Luckily my client fully aware about security vulnerability and they appreciate my work. Thanks for them !! really appreciate that !!
Here is my timeline :
- 25/03/2020 : Findings.
- 01/04/2020 : Create a report and submit it.
- 02/04/2020 : Management validate and confirmed.
- 15/04/2020 : Bug Fixed & re-test.
- 27/04/2020 : they award me $550.