How to exploit misconfigured AWS S3 Buckets?

Vignesh C
Vignesh C
Apr 2, 2019 · 2 min read

I found a misconfigured s3 bucket in a global customer service tech company where the misconfiguration of the S3 bucket allowed any authenticated user to upload and delete files to their s3 bucket.

Am redacting the bucket name/company name to “<xyz>” as per request from the affected company.

Bucket : https://<xyz>-uploads.s3-eu-west-1.amazonaws.com/

Proof-of-concept:

  1. Configure AWS CLI in your Windows/Linux/Mac machine.
  2. Execute the below commands from the CLI

Uploading a file — aws s3 cp test.html s3://<xyz>-uploads/

Deleting a file — aws s3 rm s3://<xyz>-uploads/test.html

Listing the files — aws s3 ls s3://<xyz>-uploads/

3. I received an email from the VP of engineering that they have fixed the issue, below is my confirmation to them.

Recommendation:

  1. Review the bucket ACLs to verify WRITE and WRITE_ACP are only set on specific users, never on groups such as AllUsers or AuthenticatedUsers.
  2. Take a look and see how you are uploading objects to S3 buckets and make sure you set the proper ACLs on both buckets and objects.

Note: Newly created Amazon S3 buckets and objects are private and protected by default.

Happy Hacking!

@thevickyvigi

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade