Finding hidden gems vol. 2: REAMDE.md, the story of a bit too helpful readme file

REAMDE.md file is meant to be helpful. It is the first file to check when you look into a new project on GitHub, see here. That’s perfectly fine from developer’s perspective.

Sometimes this file stays as a development leftover all the way from the test environment to production. If it does not contain anything sensitive it is still fine.

Some time ago I’ve found README.md file which was way too helpful. Definitely it should not have ended up in the production environment.

The case

So, the first lines of the file I found were:

The first thing you need is to install aws-cli, which is a simple command line tool that provides a client interface to AWS 
services.
You can find it here: http://docs.aws.amazon.com/cli/latest/userguide/installing.html
Once installed, you will need to provide some information to authenticate and be able to upload files to the bucket.

That was perfectly fine. Just one developer helping another. Install this and see docs there.

SANDBOX  
AWS Access Key ID: A*****************A
AWS Secret Access Key: P****************G
Default region name: us-east-1
Default output format [None]:
>I have created a testing bucket for you in our sandbox environment, the bucket URI is s3://***********-sandbox.********.com
And to get you started with service, you can simply sync all the content of a specific folder to the S3 bucket by executing:
aws s3 sync/path/to/your/folder s3://***********-sandbox.********.com

Yes Yes Yes! I got here Amazon S3 bucket and possibly with valid access keys. To quote Amazon docs:

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don’t have access keys, you can create them from the AWS Management Console.

This sandbox AWS S3 bucket looked interesting, we also got keys…but this bucket no longer existed. So was reading further…

PROD  
aws configure
AWS Access Key ID: A*****************Q
Secret Access Key: k****************u
Default region name: us-east-1
Default output format [None]:
aws s3 sync ~/data/AWS/ s3://***********.com/  
new path
aws s3 sync ~/data/WORK/AWS/ s3://***********.com/
aws s3 sync ~/data/AWS/ s3://***********.com/

This was even better! No more sandbox, I was dealing with the production S3 instance now. And one more quote from the file:

Please go through this documentation, it's a great way to start with AWS S3: 
http://docs.aws.amazon.com/cli/latest/reference/s3/index.html
If you have any questions, please don't hesitate contacting me, I am available on Slack as well if you needed some instant responses.

So I downloaded aws-cli, configured it. I needed just to check if the keys still work, so I uploaded a test file:

aws configure
AWS Access Key ID: A*****************Q
Secret Access Key: k****************u
Default region name: us-east-1
Default output format [None]:
aws s3 cp .\\********.txt s3://***********.com/********.txt

Keys were valid, I managed to upload a test file to this bucket. So I was in. I just needed to write a report and submit it on the bug bounty platform they used and wait for bounty.

Aftermatch

In the meantime the company in which web site I found this bug stopped having a bug bounty program. Ooops.

I searched for some kind of security contact but with no immediate results. Then I decided to send them a message on Twitter.


Me [31.08.2017]

Hi, I found a vulnerability in your service … I was unaware that your bb program is paused. Direct me to someone that I should report it.

The other side [31.08.2017]

Hi Mateusz! Sorry for the delay. You can send an email to **************.com


The response time on Twitter was quick, but then.


Me [17.09.2017]

Hmm, I’ve sent an email about this issue to the email address above and got no response yet, please could you verify?

The other side [17.09.2017]

No worries Mateusz! Just a moment please while I verify that information.


Then I’ve shared with them my email address, and again some time passed.


Me [4.10.2017]

Hi, any news? I’ve sent that email a month ago and got no response whatsoever.

They [5.10.2017]

Hi Mateusz! I’m so sorry for the delayed response! … Although we don’t have an active bounty, we would like to send you some promo codes …


Kind of nice of them that they wished to give me some promo codes for their services. Unfortunately I was in no position to be able to use them due to let’s say geographical issues. I’ve asked for a letter of reference, just to have some sort of recognition, but no response again, so I dropped the topic.

Lessons learned

  • For myself — always dig deeper and spend more time exploring AWS access gained, which I did not do this time, my bad.
  • Bug hunters — definitely add README.md to your dictionaries. There are more extensions (txt, adoc, rst …)
  • Developers — check what files are in your app web root and should not be there.