Improper Storage of Private Project’s Files

Arbaz Hussain
Aug 30, 2017 · 2 min read

Image for post
Image for post

Severity: High

Complexity: Easy

Weakness: Improper Storage of files on S3 Buckets


  • While Testing one of the private on Hackerone , Their Main Feature functionality is to Write code for Their project and save the project’s as (Private/Public)
  • Whenever we store something in public Project . it’s files get store to

https://REDACTED.s3.amazonaws.com/sagewfextdg/uploads/ 1494851423/1.py

Here sagewfextdg is the ID for the PUBLIC Projects


  • Same thing tried with Private Projects :

https://REDACTED.s3.amazonaws.com/sawexvecswt/uploads/ 1494851123/1.py

Here sawexvecswt is the ID for the Private Projects


  • Now we got ID for Public/Private projects files at s3 Bucket where files are getting saved.

/uploads/1494851423/1.py

  • Only thing we have this/1494851423/ which is nothing but timestamp

Timestamp is encoded information identifying current date-month-year-hour-minutes-seconds

  • You can convert the timestamp to human readable format from here http://www.unixtimestamp.com/
  • Wrote a simple script to generate timestamp for whole day(24 hours) using datetime python module and Started Fuzzing
Demonstrated by Placing simple .JPG File in Project
  • Able to access private files of Other User’s.

  • They have Added Auth Token Verifier to View or Download Files from S3 Bucket as a FIX.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store