Improper Storage of Private Project’s Files

Severity: High

Complexity: Easy

Weakness: Improper Storage of files on S3 Buckets

  • While Testing one of the private on Hackerone , Their Main Feature functionality is to Write code for Their project and save the project’s as (Private/Public)
  • Whenever we store something in public Project . it’s files get store to 1494851423/

Here sagewfextdg is the ID for the PUBLIC Projects

  • Same thing tried with Private Projects : 1494851123/

Here sawexvecswt is the ID for the Private Projects

  • Now we got ID for Public/Private projects files at s3 Bucket where files are getting saved.


  • Only thing we have this/1494851423/ which is nothing but timestamp

Timestamp is encoded information identifying current date-month-year-hour-minutes-seconds

  • You can convert the timestamp to human readable format from here
  • Wrote a simple script to generate timestamp for whole day(24 hours) using datetime python module and Started Fuzzing
Demonstrated by Placing simple .JPG File in Project
  • Able to access private files of Other User’s.

  • They have Added Auth Token Verifier to View or Download Files from S3 Bucket as a FIX.